3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

Analysis

max time kernel
136s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Size

78KB
MD5

b7522739be3b41f898204a82bebbf202
SHA1

350d9490d8839b357882a2777e9dbf51ebcf4006
SHA256

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd
SHA512

e3de9441f58a7c120db5e86962abae6755bff93614d0a674e52ed23324f1f791435d69b1e0552c011388c89c5a6b5e64adbf05f9386bc560faa62daaa9b6e926

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp426.tmp.exe

pid process

1944 tmp426.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp426.tmp.exe

pid process

1944 tmp426.tmp.exe

pid	process
1944	tmp426.tmp.exe

pid	process
1944	tmp426.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

pid	process
1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp426.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp426.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exetmp426.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Token: SeDebugPrivilege	1944	tmp426.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exevbc.exe

description	pid	process	target process
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
"C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609.tmp"
3⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES60A.tmp
MD5
3582ad4f638e319a28d40b844987488a

SHA1
75debcfd6986eb12cc63675f1156358696c6d2d9

SHA256
bee2a0c4480504c3f8c63cca91b4b86988e25d23b773d7382a8f3e9b29dc5bb7

SHA512
4c375ee381867790b935534e6b9c97f258a5a96bae701fe92dcd7adf191101aacf0c772fb4122d8924cb3e51bb2f94e17021bba684fc5c4d99411757bf5d19dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.0.vb
MD5
3eb6f8074fad34f3dd6c4911da927ceb

SHA1
07ccb737db3d57a38ad8d05252d8fc80f2ebee4a

SHA256
9bf7512965d0c296e42424f8ce65104df577bf10fbf421e6cc3b19be47283dfe

SHA512
aa8d78a5850dbf67c15d6d718a46887bcdc4c8a547b088125345e8b8e869bb518d0dacc8d1b94133de0fff1bc99a1b2e809bdac3490d5145d7d1b290d8ce7e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline
MD5
1f5c6de4733688446a153cfb07250e1d

SHA1
6cd45c04e7f9aeb799d85a564ce26e482450ca1d

SHA256
010cfe5b4f2cce6a4a2ccc7a1522290b1be2b88af07e7c685ddded0c1774c9e6

SHA512
214957f19b7b1b34304136cd50aea4058b0c7f294b2aa7e78f4e6d67b36cc99173a7a68f52059f9ac202507b385ae28025823825c35f339f7444b4fb35ad8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc609.tmp
MD5
5e1bb0b5a3d80a2a00b3ce44bff8d7b1

SHA1
6ccd4a1ca5cd8646ac1457694e162beab464e738

SHA256
6044f11237b97d50bb96002b7ace86692809ea08399a00100d558cba42d54566

SHA512
96c22ea6c6d102a5ffc0d9121cce4c0ae53fc0faa9ed0eadf4b44efda31da7ab8aab445e9692ca3597c46e57ec4c88660e777ebf4077a3a434f608e81c1e02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
memory/1144-3-0x0000000000000000-mapping.dmp

Download
memory/1144-7-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1804-9-0x0000000000000000-mapping.dmp

Download
memory/1944-15-0x0000000000000000-mapping.dmp

Download
memory/1944-18-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1944-19-0x0000000002025000-0x0000000002036000-memory.dmp

Filesize
68KB

Download