Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
gvim.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
gvim.exe
Resource
win10v20201028
General
-
Target
gvim.exe
-
Size
3.6MB
-
MD5
8e8f7ff797c292231959e4dd410a98da
-
SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49
-
SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b
-
SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1020 GetX64BTIT.exe -
Drops startup file 2 IoCs
Processes:
DllHost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe DllHost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe DllHost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org 15 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1118 IoCs
Processes:
gvim.exegvim.exepid process 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 984 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe 3960 gvim.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gvim.exedescription pid process Token: SeSecurityPrivilege 984 gvim.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gvim.exepid process 3960 gvim.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
gvim.exegvim.exedescription pid process target process PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 984 wrote to memory of 3960 984 gvim.exe gvim.exe PID 3960 wrote to memory of 1020 3960 gvim.exe GetX64BTIT.exe PID 3960 wrote to memory of 1020 3960 gvim.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gvim.exe"C:\Users\Admin\AppData\Local\Temp\gvim.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\gvim.exe"C:\Users\Admin\AppData\Local\Temp\gvim.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"3⤵
- Executes dropped EXE
PID:1020
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:2348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
fc4747500995e881074f73823f62574a
SHA198228c70d4e935d615807437343e130606479556
SHA25619cab3c6e2105507f20edf2516ec11a2f6d21418bd138ab898282c1d765a9468
SHA51276bef01b67687ac7785e14020996f9c6c968b3e5be5007102f356ccf37203bc7c20bf87c509030011b7224996f1d30f41a63fdb7c8a5810ca1d2f5a69ba76e38
-
memory/984-2-0x0000000002940000-0x00000000029BB000-memory.dmpFilesize
492KB
-
memory/984-6-0x00000000041C0000-0x000000000434E000-memory.dmpFilesize
1.6MB
-
memory/1020-10-0x0000000000000000-mapping.dmp
-
memory/3960-3-0x0000000000000000-mapping.dmp
-
memory/3960-4-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3960-7-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/3960-9-0x00000000025B0000-0x0000000002659000-memory.dmpFilesize
676KB
-
memory/3960-8-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB