d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

General

Target

f_00011d.exe
Size

868KB
MD5

921211c93c0526423bf3449cb33690ea
SHA1

45eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256

d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512

574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

vitrwm.exevitrwm.exe

pid process

548 vitrwm.exe
436 vitrwm.exe
Drops file in System32 directory 2 IoCs

Processes:

f_00011d.exe

description ioc process

File created C:\Windows\SysWOW64\vitrwm.exe f_00011d.exe
File opened for modification C:\Windows\SysWOW64\vitrwm.exe f_00011d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
548	vitrwm.exe
436	vitrwm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vitrwm.exe	f_00011d.exe
File opened for modification	C:\Windows\SysWOW64\vitrwm.exe	f_00011d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f_00011d.exe

pid	process
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe
1268	f_00011d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f_00011d.exe

description pid process

Token: SeIncBasePriorityPrivilege 1268 f_00011d.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1268	f_00011d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f_00011d.exevitrwm.exe

description	pid	process	target process
PID 1268 wrote to memory of 1200	1268	f_00011d.exe	cmd.exe
PID 1268 wrote to memory of 1200	1268	f_00011d.exe	cmd.exe
PID 1268 wrote to memory of 1200	1268	f_00011d.exe	cmd.exe
PID 1268 wrote to memory of 1200	1268	f_00011d.exe	cmd.exe
PID 548 wrote to memory of 436	548	vitrwm.exe	vitrwm.exe
PID 548 wrote to memory of 436	548	vitrwm.exe	vitrwm.exe
PID 548 wrote to memory of 436	548	vitrwm.exe	vitrwm.exe
PID 548 wrote to memory of 436	548	vitrwm.exe	vitrwm.exe

C:\Users\Admin\AppData\Local\Temp\f_00011d.exe
"C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\f_00011d.exe > nul
2⤵
PID:1200

C:\Windows\SysWOW64\vitrwm.exe
C:\Windows\SysWOW64\vitrwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\vitrwm.exe
C:\Windows\SysWOW64\vitrwm.exe Cool
2⤵
- Executes dropped EXE
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vitrwm.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
C:\Windows\SysWOW64\vitrwm.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
C:\Windows\SysWOW64\vitrwm.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
memory/436-64-0x0000000000000000-mapping.dmp

Download
memory/1200-63-0x0000000000000000-mapping.dmp

Download
memory/1268-55-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1268-57-0x000000001001E000-0x0000000010022000-memory.dmp

Filesize
16KB

Download
memory/1268-56-0x0000000010001000-0x000000001001E000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing