5a85da5761a839d5e5083680501dced7db02a7454cc925ad96b144dd9a44b83d

Analysis

max time kernel
1665s
max time network
1580s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BinPlay Installer.cmd
Size

774KB
MD5

f8e2bb2f81ab4fde7dee61fc59e2abd3
SHA1

807c3affb9d3102a428785f010ce3a89fa00143e
SHA256

5a85da5761a839d5e5083680501dced7db02a7454cc925ad96b144dd9a44b83d
SHA512

205c32709a35f2473985fecd1faacede3b1f505cd9ce17f83cb49809432284a9313881a3130bd24010561b83dd60028a4c8b69baab27212b1385dce9c145625a
SSDEEP

12288:rR+wYklxNE6E1bGQ7D0RYdVOGBayLjG3vub2jYvrOQ:rR+wYs81bJB5CCrH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
5076	Setup.exe
2864	BinPlay.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4588	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 4772	672	cmd.exe	87
PID 672 wrote to memory of 4772	672	cmd.exe	87
PID 672 wrote to memory of 4980	672	cmd.exe	95
PID 672 wrote to memory of 4980	672	cmd.exe	95
PID 672 wrote to memory of 5076	672	cmd.exe	96
PID 672 wrote to memory of 5076	672	cmd.exe	96
PID 672 wrote to memory of 3740	672	cmd.exe	97
PID 672 wrote to memory of 3740	672	cmd.exe	97
PID 2864 wrote to memory of 4508	2864	BinPlay.exe	104
PID 2864 wrote to memory of 4508	2864	BinPlay.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BinPlay Installer.cmd"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\system32\certutil.exe
  certutil -decode "lnk.bin" "BinPlay Music.lnk"
  2⤵
  PID:4772
- C:\Windows\system32\certutil.exe
  certutil -decode "Installer.tmp" "Setup.exe"
  2⤵
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  Setup.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:3740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Music\FormatShow.css
1⤵
- Opens file in notepad (likely ransom note)
PID:4588

C:\Users\Admin\Music\BinPlay.exe
"C:\Users\Admin\Music\BinPlay.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C479.tmp\C47A.tmp\C47B.bat C:\Users\Admin\Music\BinPlay.exe"
  2⤵
  PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BinPlay Music.lnk

Filesize
712B

MD5
a437942dcfa66a56b371bf9771f69ce8

SHA1
4fa37ab639bd89944c0d11ed645b8c501a483aad

SHA256
653a9abff7a00fe7a0fa61a79918ebdc44204081165c2d0a826abbc53a5c37b8

SHA512
aa9bbe918eca91f3bc985fe71fb29d581eeb75e73ac0f9c271d3bc1570513c9c983b9bb4540cbbe2f8bc48b8b32c71c2c17b198e41f47102a84eaa6214b64396

Download Submit
C:\Users\Admin\AppData\Local\Temp\BinPlay.exe

Filesize
96KB

MD5
54e15e75cdd04824e524931be1638aec

SHA1
87eb0d1823c94a20e7710887d6d335e27ae06f6f

SHA256
a3f709fb02b11c9620b035f566cccac72523454ca8e6718dfa54fca8113d7d8f

SHA512
f50fe207c6dcbcf98fb4aec073cf06408e6830002541a21c228936622b3ce576ffd4ff238be42f5f0784136eee477ca89f2c2cfbf743522692f47775e95af0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C479.tmp\C47A.tmp\C47B.bat

Filesize
7KB

MD5
0909cf47b1708a3d5f8422a234f4e167

SHA1
586237bfd2500c0b0c5c3939f99fc906eec11d93

SHA256
f071713aab869bfb12ac36f5607bd9f0c33c12f48c7ec4d667d3a97c97e39dbd

SHA512
21dad6fb13c1d8dd419b2ce79c3ad66e5d68bb7b678717f3928709d25561de05a87b1c7188ecd0b19080f40f866ea0854757b37f4e2b9198c57097021a0e9a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.tmp

Filesize
4KB

MD5
b0998dba662b271a0b73d6e435b6fb4d

SHA1
88e79e0935289799492ffbc0465c675b8b2a1905

SHA256
65da1fef7653fa802f2b21ab764497fe51476ae0070ab97a39b687739d0c4828

SHA512
6e88a532f99708db290619e74c84830cec78e115ece7d2ffab26855e8c95aa1e1e161be1b898b09c231ea96e0262451d4226ec5bd6cf89d25fcc23c014f2633f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.tmp

Filesize
592KB

MD5
3deab8b6421a45e5a24649378ebe3b05

SHA1
5b977053555c60d359b3a7f1ec0151ef28b8f295

SHA256
e6bea364658e16da08befcda1ed8f101cd26d94d18e1e95276f16491e7b2d7dd

SHA512
44a61eb5e3e610b78a876f75e75c13d477e66ecb25f27c711f159ea76e5a31a12c1f41fed77d0bc9cc3526fa0a4fb10d1cd9521a9759c9b20facbc6ea0a7aa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
431KB

MD5
f2f7bb44a2dc197ea6caa370d0e176da

SHA1
76fcf1644c28419288429efd74f21bc3a7fd5c29

SHA256
6147c5fc7c7f40bb29f6a495cc14f4c215b5d41fd0797c95d5d4015ff56ea5be

SHA512
177d9115e83e2bd020a5a72adbaab55639e49dfa22e8c3f6bcb9a56293512f221edd3143cacb568bae73b3138fdf6cabe5d3861b0505750fc9ae459dfb0b2770

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
431KB

MD5
f2f7bb44a2dc197ea6caa370d0e176da

SHA1
76fcf1644c28419288429efd74f21bc3a7fd5c29

SHA256
6147c5fc7c7f40bb29f6a495cc14f4c215b5d41fd0797c95d5d4015ff56ea5be

SHA512
177d9115e83e2bd020a5a72adbaab55639e49dfa22e8c3f6bcb9a56293512f221edd3143cacb568bae73b3138fdf6cabe5d3861b0505750fc9ae459dfb0b2770

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bin

Filesize
1KB

MD5
cd8e94ebb686082d623a54d8ae1fba6d

SHA1
076ed50dd5280d8c7e29b37a0fd9956a1b0f9bc0

SHA256
10b1a75e1a3885e41156dd10004be7601b3c01a10823449bd4c31da840467be2

SHA512
5dd27c7d781b4c92c12b3e76b39856debed4b5006c40a624f597ce422f85d11d247ce96fd6344edcdb030102e898de35596542b748a472b314eeac2d50dfb6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnk.bin

Filesize
1KB

MD5
cd8e94ebb686082d623a54d8ae1fba6d

SHA1
076ed50dd5280d8c7e29b37a0fd9956a1b0f9bc0

SHA256
10b1a75e1a3885e41156dd10004be7601b3c01a10823449bd4c31da840467be2

SHA512
5dd27c7d781b4c92c12b3e76b39856debed4b5006c40a624f597ce422f85d11d247ce96fd6344edcdb030102e898de35596542b748a472b314eeac2d50dfb6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
49B

MD5
2e0479cd7005482296f660a5c23e3040

SHA1
50d7d34275d2fc6accd12cb6ef67dacd6588d9ef

SHA256
799498c1bd6b3f908ac27ea0a4d6f291aebdc2dd1bd577b08ad753f1111ed6f7

SHA512
ef51dd0b3d810cb4221f2062d1a74b0e4c62ebcbe5e603e877a3c7c5d5b6ba5dc66679ddfcff2378379461f2088f2c53cd8c5b5a39ddaa75335ba401987fd6c3

Download Submit
C:\Users\Admin\Music\BinPlay.exe

Filesize
96KB

MD5
54e15e75cdd04824e524931be1638aec

SHA1
87eb0d1823c94a20e7710887d6d335e27ae06f6f

SHA256
a3f709fb02b11c9620b035f566cccac72523454ca8e6718dfa54fca8113d7d8f

SHA512
f50fe207c6dcbcf98fb4aec073cf06408e6830002541a21c228936622b3ce576ffd4ff238be42f5f0784136eee477ca89f2c2cfbf743522692f47775e95af0dd

Download Submit