Analysis
-
max time kernel
71s -
max time network
69s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 00:29
Static task
static1
Behavioral task
behavioral1
Sample
1b6cf3ed88453123a5b3c1fda495a0fc.exe
Resource
win7-en-20210920
General
-
Target
1b6cf3ed88453123a5b3c1fda495a0fc.exe
-
Size
140KB
-
MD5
1b6cf3ed88453123a5b3c1fda495a0fc
-
SHA1
b0fab49496d7566de454d3251966afb2e990ef5f
-
SHA256
abfe75012e58d50f3721c9ac42b614fd96ae26ea40b120a1dc90a1c46b0b8dad
-
SHA512
0f1bdcae3fadccc58612451e1bfbdf1dc8563f561d3ecd7a89a11eda773fb3372b10526b6909261d34471a329d0fd48c3d50701b95c8b0fe6ce4862d5cececcf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vitrwm.exepid process 524 vitrwm.exe -
Processes:
resource yara_rule behavioral1/memory/1520-54-0x0000000000400000-0x0000000000450000-memory.dmp vmprotect C:\Windows\SysWOW64\vitrwm.exe vmprotect C:\Windows\SysWOW64\vitrwm.exe vmprotect -
Drops startup file 1 IoCs
Processes:
1b6cf3ed88453123a5b3c1fda495a0fc.exedescription ioc process File created C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kyg 1b6cf3ed88453123a5b3c1fda495a0fc.exe -
Drops file in System32 directory 2 IoCs
Processes:
1b6cf3ed88453123a5b3c1fda495a0fc.exedescription ioc process File created C:\Windows\SysWOW64\vitrwm.exe 1b6cf3ed88453123a5b3c1fda495a0fc.exe File opened for modification C:\Windows\SysWOW64\vitrwm.exe 1b6cf3ed88453123a5b3c1fda495a0fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1b6cf3ed88453123a5b3c1fda495a0fc.exepid process 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1b6cf3ed88453123a5b3c1fda495a0fc.exedescription pid process Token: SeIncBasePriorityPrivilege 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1b6cf3ed88453123a5b3c1fda495a0fc.exedescription pid process target process PID 1520 wrote to memory of 868 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe cmd.exe PID 1520 wrote to memory of 868 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe cmd.exe PID 1520 wrote to memory of 868 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe cmd.exe PID 1520 wrote to memory of 868 1520 1b6cf3ed88453123a5b3c1fda495a0fc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6cf3ed88453123a5b3c1fda495a0fc.exe"C:\Users\Admin\AppData\Local\Temp\1b6cf3ed88453123a5b3c1fda495a0fc.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1B6CF3~1.EXE > nul2⤵
-
C:\Windows\SysWOW64\vitrwm.exeC:\Windows\SysWOW64\vitrwm.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vitrwm.exeMD5
593583cd26e86d59f79cdb58fc8c81d5
SHA1174541f60b0ed4c1026a2deede503e8de1e2f86a
SHA2564cfe29d3de0e869bba46d4f95203e228ac0ce00f58617d610fbc8012af090d42
SHA5120a431a876b4636d3957ab7133d72f83b522ce8562f6973d34e4e166486d0bc4b61dbdea783eccf7cb181dfdc4b1db3bb17d127f07f729165215d78e6116abf1d
-
C:\Windows\SysWOW64\vitrwm.exeMD5
593583cd26e86d59f79cdb58fc8c81d5
SHA1174541f60b0ed4c1026a2deede503e8de1e2f86a
SHA2564cfe29d3de0e869bba46d4f95203e228ac0ce00f58617d610fbc8012af090d42
SHA5120a431a876b4636d3957ab7133d72f83b522ce8562f6973d34e4e166486d0bc4b61dbdea783eccf7cb181dfdc4b1db3bb17d127f07f729165215d78e6116abf1d
-
memory/868-59-0x0000000000000000-mapping.dmp
-
memory/1520-54-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1520-57-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB