Analysis

  • max time kernel
    136s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    28-02-2021 07:08

General

  • Target

    3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

  • Size

    78KB

  • MD5

    b7522739be3b41f898204a82bebbf202

  • SHA1

    350d9490d8839b357882a2777e9dbf51ebcf4006

  • SHA256

    3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

  • SHA512

    e3de9441f58a7c120db5e86962abae6755bff93614d0a674e52ed23324f1f791435d69b1e0552c011388c89c5a6b5e64adbf05f9386bc560faa62daaa9b6e926

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
    "C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609.tmp"
        3⤵
          PID:1804
      • C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
        2⤵
        • Executes dropped EXE
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1944

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1144-7-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

    • memory/1740-6-0x0000000000E40000-0x0000000000E41000-memory.dmp

      Filesize

      4KB

    • memory/1740-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

      Filesize

      8KB

    • memory/1944-18-0x0000000002020000-0x0000000002021000-memory.dmp

      Filesize

      4KB

    • memory/1944-19-0x0000000002025000-0x0000000002036000-memory.dmp

      Filesize

      68KB