63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7

General

Target

zergb.exe
Size

808KB
MD5

d3dee81cd147380fc01723cd3acb0cee
SHA1

b26c8f5eca80140a68665447bd2a463feb38cfa5
SHA256

63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7
SHA512

ad500e7070b17275312d58cca71618ef18a94efc9dd34a8933945cd1c09b67485dc22bf26f342bdc0e35449790600193f0b4ebd72c10a2aea37cd67ffad29bb8

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1520 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

zergb.exe

pid process

292 zergb.exe
292 zergb.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zergb.exe

description pid process target process

PID 292 set thread context of 764 292 zergb.exe zergb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1096 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1620 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

zergb.exe

pid process

292 zergb.exe

pid	process
1520	cmd.exe

pid	process
292	zergb.exe
292	zergb.exe

description	pid	process	target process
PID 292 set thread context of 764	292	zergb.exe	zergb.exe

pid	process
1096	timeout.exe

pid	process
1620	taskkill.exe

pid	process
292	zergb.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

zergb.exezergb.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	292	zergb.exe
Token: SeTakeOwnershipPrivilege	292	zergb.exe
Token: SeRestorePrivilege	292	zergb.exe
Token: SeDebugPrivilege	764	zergb.exe
Token: SeDebugPrivilege	1620	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

zergb.exezergb.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 292 wrote to memory of 764	292	zergb.exe	zergb.exe
PID 764 wrote to memory of 1520	764	zergb.exe	cmd.exe
PID 764 wrote to memory of 1520	764	zergb.exe	cmd.exe
PID 764 wrote to memory of 1520	764	zergb.exe	cmd.exe
PID 764 wrote to memory of 1520	764	zergb.exe	cmd.exe
PID 1520 wrote to memory of 796	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 796	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 796	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 796	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1620	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1620	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1620	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1620	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1096	1520	cmd.exe	timeout.exe
PID 1520 wrote to memory of 1096	1520	cmd.exe	timeout.exe
PID 1520 wrote to memory of 1096	1520	cmd.exe	timeout.exe
PID 1520 wrote to memory of 1096	1520	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\zergb.exe
"C:\Users\Admin\AppData\Local\Temp\zergb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\zergb.exe
"C:\Users\Admin\AppData\Local\Temp\zergb.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp36B2.tmp.bat
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:796

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 764
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp36B2.tmp.bat
MD5
c9e3e086a4253822b9c90a008d270052

SHA1
b4b06dc1cc3fa3b5125cc47420f7e0e2aa944185

SHA256
d528578e33f628671351a27e853c263b561dfc9b47f5af06c01318c22e0a6303

SHA512
479968bab5903579c68d36f3b5d1e2b3ab685efa8541af08465aeb3ea757e8d7f16481c5a3ef1c46a735b7bc0238eb75929738c872e4a053685628e0e0b019d3

Download Submit
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/292-5-0x0000000001F00000-0x0000000001F16000-memory.dmp

Filesize
88KB

Download
memory/292-0-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/292-3-0x0000000001E80000-0x0000000001EB2000-memory.dmp

Filesize
200KB

Download
memory/292-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/764-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/764-8-0x0000000000424006-mapping.dmp

Download
memory/764-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/764-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/764-11-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/796-16-0x0000000000000000-mapping.dmp

Download
memory/1096-18-0x0000000000000000-mapping.dmp

Download
memory/1520-14-0x0000000000000000-mapping.dmp

Download
memory/1620-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads