Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 07:04

General

  • Target

    Inv_36571_VIC_Pty_Ltd.exe

  • Size

    580KB

  • MD5

    5b1363c3b88bd52a0f4044b51c0791d8

  • SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

  • SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

  • SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inv_36571_VIC_Pty_Ltd.exe
    "C:\Users\Admin\AppData\Local\Temp\Inv_36571_VIC_Pty_Ltd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "chrome" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\opera.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "chrome" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\opera.exe"
        3⤵
        • Adds Run key to start application
        PID:892
    • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
      "C:\Users\Admin\AppData\Local\Temp\ptfile.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Users\Admin\AppData\Roaming\opera.exe
        "C:\Users\Admin\AppData\Roaming\opera.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
          "C:\Users\Admin\AppData\Local\Temp\ptfile.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Users\Admin\AppData\Roaming\opera.exe
            "C:\Users\Admin\AppData\Roaming\opera.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3280
            • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
              "C:\Users\Admin\AppData\Local\Temp\ptfile.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4664
              • C:\Users\Admin\AppData\Roaming\opera.exe
                "C:\Users\Admin\AppData\Roaming\opera.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:192
                • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
                  "C:\Users\Admin\AppData\Local\Temp\ptfile.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4728
                  • C:\Users\Admin\AppData\Roaming\opera.exe
                    "C:\Users\Admin\AppData\Roaming\opera.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5032
                    • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
                      "C:\Users\Admin\AppData\Local\Temp\ptfile.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opera.exe.log
    MD5

    ffa47c5de0b2b62b550f6a2c9fdbb476

    SHA1

    c110729f2443f4ac24fa88f1d6eea4b96ba7f630

    SHA256

    1ff5097fb93764c9f820f5747d8e74546e4ff072a0bf029720ad656873a0badc

    SHA512

    92f846c6f0f0b3308b2fae0c882238d1b944992f2e9081bc06ffa1a64bd6576eeced05028f8e1aa7145333edef5dd72ef9a901caf6fcf5db38651c72b1832cd2

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ptfile.exe.log
    MD5

    ffa47c5de0b2b62b550f6a2c9fdbb476

    SHA1

    c110729f2443f4ac24fa88f1d6eea4b96ba7f630

    SHA256

    1ff5097fb93764c9f820f5747d8e74546e4ff072a0bf029720ad656873a0badc

    SHA512

    92f846c6f0f0b3308b2fae0c882238d1b944992f2e9081bc06ffa1a64bd6576eeced05028f8e1aa7145333edef5dd72ef9a901caf6fcf5db38651c72b1832cd2

  • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Local\Temp\ptfile.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • C:\Users\Admin\AppData\Roaming\opera.exe
    MD5

    5b1363c3b88bd52a0f4044b51c0791d8

    SHA1

    3b1b46eb883c1b79e403e12c3157b6423f13af07

    SHA256

    04b5f5af6b41722e400498a6540445cfcc1c056b328401eb662fb4d29ee02a5d

    SHA512

    1370e1814663c433cb6c8b69b382e6ac1da1b55ca56aed1b9575d19957b32bd5d2b7835cbf6105e4ec8f2a8acd335dcea0697db123068c7e635b35a087117bd0

  • memory/192-112-0x0000000002510000-0x0000000002511000-memory.dmp
    Filesize

    4KB

  • memory/192-101-0x0000000000000000-mapping.dmp
  • memory/192-126-0x0000000002511000-0x0000000002512000-memory.dmp
    Filesize

    4KB

  • memory/192-104-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/540-15-0x0000000000000000-mapping.dmp
  • memory/652-26-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

  • memory/652-32-0x00000000057E1000-0x00000000057E2000-memory.dmp
    Filesize

    4KB

  • memory/652-18-0x0000000000000000-mapping.dmp
  • memory/652-19-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/892-16-0x0000000000000000-mapping.dmp
  • memory/1860-33-0x0000000000000000-mapping.dmp
  • memory/1860-43-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
    Filesize

    4KB

  • memory/1860-36-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/1860-59-0x0000000004FB1000-0x0000000004FB2000-memory.dmp
    Filesize

    4KB

  • memory/2956-57-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

  • memory/2956-60-0x0000000004D50000-0x0000000004D51000-memory.dmp
    Filesize

    4KB

  • memory/2956-66-0x0000000004D51000-0x0000000004D52000-memory.dmp
    Filesize

    4KB

  • memory/2956-52-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2956-49-0x0000000000000000-mapping.dmp
  • memory/3200-161-0x00000000054B0000-0x00000000054B1000-memory.dmp
    Filesize

    4KB

  • memory/3200-153-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/3200-151-0x0000000000000000-mapping.dmp
  • memory/3200-166-0x00000000054B1000-0x00000000054B2000-memory.dmp
    Filesize

    4KB

  • memory/3280-67-0x0000000000000000-mapping.dmp
  • memory/3280-71-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/3280-78-0x0000000005670000-0x0000000005671000-memory.dmp
    Filesize

    4KB

  • memory/3280-93-0x0000000005671000-0x0000000005672000-memory.dmp
    Filesize

    4KB

  • memory/4664-86-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/4664-94-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

  • memory/4664-84-0x0000000000000000-mapping.dmp
  • memory/4664-100-0x00000000053B1000-0x00000000053B2000-memory.dmp
    Filesize

    4KB

  • memory/4728-119-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/4728-133-0x00000000054A1000-0x00000000054A2000-memory.dmp
    Filesize

    4KB

  • memory/4728-127-0x00000000054A0000-0x00000000054A1000-memory.dmp
    Filesize

    4KB

  • memory/4728-117-0x0000000000000000-mapping.dmp
  • memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmp
    Filesize

    4KB

  • memory/4808-11-0x00000000069A0000-0x00000000069C1000-memory.dmp
    Filesize

    132KB

  • memory/4808-8-0x0000000005BD0000-0x0000000005BD1000-memory.dmp
    Filesize

    4KB

  • memory/4808-9-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
    Filesize

    4KB

  • memory/4808-17-0x0000000007830000-0x0000000007831000-memory.dmp
    Filesize

    4KB

  • memory/4808-6-0x00000000051D0000-0x00000000051D1000-memory.dmp
    Filesize

    4KB

  • memory/4808-7-0x0000000005270000-0x0000000005271000-memory.dmp
    Filesize

    4KB

  • memory/4808-5-0x0000000005630000-0x0000000005631000-memory.dmp
    Filesize

    4KB

  • memory/4808-14-0x0000000005CB1000-0x0000000005CB2000-memory.dmp
    Filesize

    4KB

  • memory/4808-13-0x0000000006950000-0x0000000006951000-memory.dmp
    Filesize

    4KB

  • memory/4808-12-0x0000000006B50000-0x0000000006B51000-memory.dmp
    Filesize

    4KB

  • memory/5032-137-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

  • memory/5032-149-0x0000000004C71000-0x0000000004C72000-memory.dmp
    Filesize

    4KB

  • memory/5032-144-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

  • memory/5032-134-0x0000000000000000-mapping.dmp