Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Resource
win10v20201028
General
-
Target
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
-
Size
78KB
-
MD5
b7522739be3b41f898204a82bebbf202
-
SHA1
350d9490d8839b357882a2777e9dbf51ebcf4006
-
SHA256
3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd
-
SHA512
e3de9441f58a7c120db5e86962abae6755bff93614d0a674e52ed23324f1f791435d69b1e0552c011388c89c5a6b5e64adbf05f9386bc560faa62daaa9b6e926
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1944 tmp426.tmp.exe -
Deletes itself 1 IoCs
pid Process 1944 tmp426.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp426.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe Token: SeDebugPrivilege 1944 tmp426.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 26 PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 26 PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 26 PID 1740 wrote to memory of 1144 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 26 PID 1144 wrote to memory of 1804 1144 vbc.exe 28 PID 1144 wrote to memory of 1804 1144 vbc.exe 28 PID 1144 wrote to memory of 1804 1144 vbc.exe 28 PID 1144 wrote to memory of 1804 1144 vbc.exe 28 PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 29 PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 29 PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 29 PID 1740 wrote to memory of 1944 1740 3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609.tmp"3⤵PID:1804
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1944
-