Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Resource
win10v20201028
General
-
Target
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
-
Size
78KB
-
MD5
b7522739be3b41f898204a82bebbf202
-
SHA1
350d9490d8839b357882a2777e9dbf51ebcf4006
-
SHA256
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd
-
SHA512
e3de9441f58a7c120db5e86962abae6755bff93614d0a674e52ed23324f1f791435d69b1e0552c011388c89c5a6b5e64adbf05f9386bc560faa62daaa9b6e926
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp426.tmp.exepid process 1944 tmp426.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp426.tmp.exepid process 1944 tmp426.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exepid process 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp426.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp426.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exetmp426.tmp.exedescription pid process Token: SeDebugPrivilege 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe Token: SeDebugPrivilege 1944 tmp426.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exevbc.exedescription pid process target process PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe vbc.exe PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe vbc.exe PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe vbc.exe PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe vbc.exe PID 1144 wrote to memory of 1804 1144 vbc.exe cvtres.exe PID 1144 wrote to memory of 1804 1144 vbc.exe cvtres.exe PID 1144 wrote to memory of 1804 1144 vbc.exe cvtres.exe PID 1144 wrote to memory of 1804 1144 vbc.exe cvtres.exe PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe tmp426.tmp.exe PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe tmp426.tmp.exe PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe tmp426.tmp.exe PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe tmp426.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES60A.tmpMD5
3582ad4f638e319a28d40b844987488a
SHA175debcfd6986eb12cc63675f1156358696c6d2d9
SHA256bee2a0c4480504c3f8c63cca91b4b86988e25d23b773d7382a8f3e9b29dc5bb7
SHA5124c375ee381867790b935534e6b9c97f258a5a96bae701fe92dcd7adf191101aacf0c772fb4122d8924cb3e51bb2f94e17021bba684fc5c4d99411757bf5d19dd
-
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.0.vbMD5
3eb6f8074fad34f3dd6c4911da927ceb
SHA107ccb737db3d57a38ad8d05252d8fc80f2ebee4a
SHA2569bf7512965d0c296e42424f8ce65104df577bf10fbf421e6cc3b19be47283dfe
SHA512aa8d78a5850dbf67c15d6d718a46887bcdc4c8a547b088125345e8b8e869bb518d0dacc8d1b94133de0fff1bc99a1b2e809bdac3490d5145d7d1b290d8ce7e6e
-
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdlineMD5
1f5c6de4733688446a153cfb07250e1d
SHA16cd45c04e7f9aeb799d85a564ce26e482450ca1d
SHA256010cfe5b4f2cce6a4a2ccc7a1522290b1be2b88af07e7c685ddded0c1774c9e6
SHA512214957f19b7b1b34304136cd50aea4058b0c7f294b2aa7e78f4e6d67b36cc99173a7a68f52059f9ac202507b385ae28025823825c35f339f7444b4fb35ad8f01
-
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exeMD5
27606032cb748fcf6241e2f2ba0de043
SHA1f92c76a6eddaeff379cc369d61a4b47f85d2a104
SHA2564b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9
SHA51288ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501
-
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exeMD5
27606032cb748fcf6241e2f2ba0de043
SHA1f92c76a6eddaeff379cc369d61a4b47f85d2a104
SHA2564b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9
SHA51288ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501
-
C:\Users\Admin\AppData\Local\Temp\vbc609.tmpMD5
5e1bb0b5a3d80a2a00b3ce44bff8d7b1
SHA16ccd4a1ca5cd8646ac1457694e162beab464e738
SHA2566044f11237b97d50bb96002b7ace86692809ea08399a00100d558cba42d54566
SHA51296c22ea6c6d102a5ffc0d9121cce4c0ae53fc0faa9ed0eadf4b44efda31da7ab8aab445e9692ca3597c46e57ec4c88660e777ebf4077a3a434f608e81c1e02f5
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesMD5
4f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exeMD5
27606032cb748fcf6241e2f2ba0de043
SHA1f92c76a6eddaeff379cc369d61a4b47f85d2a104
SHA2564b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9
SHA51288ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501
-
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exeMD5
27606032cb748fcf6241e2f2ba0de043
SHA1f92c76a6eddaeff379cc369d61a4b47f85d2a104
SHA2564b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9
SHA51288ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501
-
memory/1144-3-0x0000000000000000-mapping.dmp
-
memory/1144-7-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/1740-6-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1740-2-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1804-9-0x0000000000000000-mapping.dmp
-
memory/1944-15-0x0000000000000000-mapping.dmp
-
memory/1944-18-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/1944-19-0x0000000002025000-0x0000000002036000-memory.dmpFilesize
68KB