Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 07:31
Static task
static1
Behavioral task
behavioral1
Sample
f_00011d.exe
Resource
win7-en-20211104
General
-
Target
f_00011d.exe
-
Size
868KB
-
MD5
921211c93c0526423bf3449cb33690ea
-
SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119
-
SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
-
SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
vitrwm.exevitrwm.exepid process 548 vitrwm.exe 436 vitrwm.exe -
Drops file in System32 directory 2 IoCs
Processes:
f_00011d.exedescription ioc process File created C:\Windows\SysWOW64\vitrwm.exe f_00011d.exe File opened for modification C:\Windows\SysWOW64\vitrwm.exe f_00011d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f_00011d.exepid process 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe 1268 f_00011d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f_00011d.exedescription pid process Token: SeIncBasePriorityPrivilege 1268 f_00011d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f_00011d.exevitrwm.exedescription pid process target process PID 1268 wrote to memory of 1200 1268 f_00011d.exe cmd.exe PID 1268 wrote to memory of 1200 1268 f_00011d.exe cmd.exe PID 1268 wrote to memory of 1200 1268 f_00011d.exe cmd.exe PID 1268 wrote to memory of 1200 1268 f_00011d.exe cmd.exe PID 548 wrote to memory of 436 548 vitrwm.exe vitrwm.exe PID 548 wrote to memory of 436 548 vitrwm.exe vitrwm.exe PID 548 wrote to memory of 436 548 vitrwm.exe vitrwm.exe PID 548 wrote to memory of 436 548 vitrwm.exe vitrwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\f_00011d.exe > nul2⤵
-
C:\Windows\SysWOW64\vitrwm.exeC:\Windows\SysWOW64\vitrwm.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vitrwm.exeC:\Windows\SysWOW64\vitrwm.exe Cool2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vitrwm.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
C:\Windows\SysWOW64\vitrwm.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
C:\Windows\SysWOW64\vitrwm.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
memory/436-64-0x0000000000000000-mapping.dmp
-
memory/1200-63-0x0000000000000000-mapping.dmp
-
memory/1268-55-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1268-57-0x000000001001E000-0x0000000010022000-memory.dmpFilesize
16KB
-
memory/1268-56-0x0000000010001000-0x000000001001E000-memory.dmpFilesize
116KB