Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
26-07-2020 19:23
Static task
static1
Behavioral task
behavioral1
Sample
Random.RANSOM.bin.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Random.RANSOM.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Random.RANSOM.bin.exe
-
Size
64KB
-
MD5
bc234901a4e7dd764b97105a4f6840b9
-
SHA1
9930e609f8a0b4c999e52799f6267e86b66f7188
-
SHA256
d2178841fa9e74c19c7d19da870c5beb0dd30cb36b70dd6a2e3488416cab9980
-
SHA512
9285bbd6e19fd4488a371e54b9bd460207cc29670ada23dc445a352c912edf78536196398bbc49fada73ef2884eb5125dad928ac1a96ba64a46c80904ecf0a4c
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Random.RANSOM.bin.exedescription pid process target process PID 604 wrote to memory of 1508 604 Random.RANSOM.bin.exe svchost.exe PID 604 wrote to memory of 1508 604 Random.RANSOM.bin.exe svchost.exe PID 604 wrote to memory of 1508 604 Random.RANSOM.bin.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 1508 svchost.exe Token: SeDebugPrivilege 1508 svchost.exe Token: SeDebugPrivilege 1508 svchost.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\Pictures\GetUpdate.png.RANDOM svchost.exe File created C:\Users\Admin\Pictures\HideEdit.png.RANDOM svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Random.RANSOM.bin.exe"C:\Users\Admin\AppData\Local\Temp\Random.RANSOM.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Appdata\svchost.exe"C:\Users\Admin\Appdata\svchost.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Modifies extensions of user files