3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

max time kernel136s
max time network145s
platformwindows7_x64
resourcewin7v20201028
submitted28-02-2021 07:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Filesize

78KB

Completed

28-02-2021 07:10

Score

8^/10

MD5

b7522739be3b41f898204a82bebbf202

SHA1

350d9490d8839b357882a2777e9dbf51ebcf4006

SHA256

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

persistence

Defense Evasion

Discovery

Persistence

Executes dropped EXE
tmp426.tmp.exe

Reported IOCs

pid process

1944 tmp426.tmp.exe
Deletes itself
tmp426.tmp.exe

Reported IOCs

pid process

1944 tmp426.tmp.exe

pid	process
1944	tmp426.tmp.exe

pid	process
1944	tmp426.tmp.exe

Loads dropped DLL

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Reported IOCs

pid	process
1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Uses the VBS compiler for execution

TTPs

Scripting

Adds Run key to start application

tmp426.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp426.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exetmp426.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Token: SeDebugPrivilege	1944	tmp426.tmp.exe

Suspicious use of WriteProcessMemory

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1740 wrote to memory of 1144	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1144 wrote to memory of 1804	1144	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe
PID 1740 wrote to memory of 1944	1740	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp426.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

"C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"

Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline"

Suspicious use of WriteProcessMemory

PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc609.tmp"

PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:1944

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\RES60A.tmp
MD5
3582ad4f638e319a28d40b844987488a

SHA1
75debcfd6986eb12cc63675f1156358696c6d2d9

SHA256
bee2a0c4480504c3f8c63cca91b4b86988e25d23b773d7382a8f3e9b29dc5bb7

SHA512
4c375ee381867790b935534e6b9c97f258a5a96bae701fe92dcd7adf191101aacf0c772fb4122d8924cb3e51bb2f94e17021bba684fc5c4d99411757bf5d19dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.0.vb
MD5
3eb6f8074fad34f3dd6c4911da927ceb

SHA1
07ccb737db3d57a38ad8d05252d8fc80f2ebee4a

SHA256
9bf7512965d0c296e42424f8ce65104df577bf10fbf421e6cc3b19be47283dfe

SHA512
aa8d78a5850dbf67c15d6d718a46887bcdc4c8a547b088125345e8b8e869bb518d0dacc8d1b94133de0fff1bc99a1b2e809bdac3490d5145d7d1b290d8ce7e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfqz9l09.cmdline
MD5
1f5c6de4733688446a153cfb07250e1d

SHA1
6cd45c04e7f9aeb799d85a564ce26e482450ca1d

SHA256
010cfe5b4f2cce6a4a2ccc7a1522290b1be2b88af07e7c685ddded0c1774c9e6

SHA512
214957f19b7b1b34304136cd50aea4058b0c7f294b2aa7e78f4e6d67b36cc99173a7a68f52059f9ac202507b385ae28025823825c35f339f7444b4fb35ad8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc609.tmp
MD5
5e1bb0b5a3d80a2a00b3ce44bff8d7b1

SHA1
6ccd4a1ca5cd8646ac1457694e162beab464e738

SHA256
6044f11237b97d50bb96002b7ace86692809ea08399a00100d558cba42d54566

SHA512
96c22ea6c6d102a5ffc0d9121cce4c0ae53fc0faa9ed0eadf4b44efda31da7ab8aab445e9692ca3597c46e57ec4c88660e777ebf4077a3a434f608e81c1e02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
\Users\Admin\AppData\Local\Temp\tmp426.tmp.exe
MD5
27606032cb748fcf6241e2f2ba0de043

SHA1
f92c76a6eddaeff379cc369d61a4b47f85d2a104

SHA256
4b797807286c89e0ab143265d6fa652bf79721db3fabe82e2422097f5efbf6f9

SHA512
88ff83b9ca1c0ac1d61b29dd65ea3f99f655057addb2495835683f6bae9d51cd7eae7bc6b9ebca64cff4f1a2d86adecb4d141279c265dd3fc04a2dd083de6501

Download Submit
memory/1144-7-0x0000000000600000-0x0000000000601000-memory.dmp

Download
memory/1144-3-0x0000000000000000-mapping.dmp

Download
memory/1740-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Download
memory/1740-6-0x0000000000E40000-0x0000000000E41000-memory.dmp

Download
memory/1804-9-0x0000000000000000-mapping.dmp

Download
memory/1944-15-0x0000000000000000-mapping.dmp

Download
memory/1944-18-0x0000000002020000-0x0000000002021000-memory.dmp

Download
memory/1944-19-0x0000000002025000-0x0000000002036000-memory.dmp

Download

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

Filter: none

Reported IOCs

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title