Analysis
-
max time kernel
4294205s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10-03-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Resource
win10v2004-en-20220112
General
-
Target
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
-
Size
10.5MB
-
MD5
e1fad5d61bb637beb30aec6d3180ece2
-
SHA1
88966028db1eb2a41cec54875486638937a28208
-
SHA256
6a2f6da502485750acde45ad22d36d186c335b2f61592c5eae168e9f971ffc70
-
SHA512
5c87ab2570983aff67fe5d99dc157e9ebb040ea96a8344da0f1cdf6fdf9701ee014e43c69255773e95ae09d7c45ece9b119928b45c8fb400351ecccf996a56cb
Malware Config
Extracted
vjw0rm
http://tahoo.linkpc.net:777
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
Setup.execonhost.exefiles.datconhost.exepid process 876 Setup.exe 1608 conhost.exe 1404 1280 files.dat 1096 conhost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Setup.exe upx C:\Users\Admin\AppData\Roaming\Setup.exe upx C:\Users\Admin\AppData\Roaming\Setup.exe upx -
Drops startup file 4 IoCs
Processes:
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.execonhost.execonhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe -
Loads dropped DLL 2 IoCs
Processes:
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exepid process 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOV3N4ZZM = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\"" conhost.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOV3N4ZZM = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\"" conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
files.datpid process 1280 files.dat -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exepid process 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exepid process 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exeSetup.execmd.execonhost.exetaskeng.execonhost.exedescription pid process target process PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 876 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe Setup.exe PID 1568 wrote to memory of 1608 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe conhost.exe PID 1568 wrote to memory of 1608 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe conhost.exe PID 1568 wrote to memory of 1608 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe conhost.exe PID 1568 wrote to memory of 1608 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe conhost.exe PID 1568 wrote to memory of 1608 1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe conhost.exe PID 876 wrote to memory of 1448 876 Setup.exe cmd.exe PID 876 wrote to memory of 1448 876 Setup.exe cmd.exe PID 876 wrote to memory of 1448 876 Setup.exe cmd.exe PID 876 wrote to memory of 1448 876 Setup.exe cmd.exe PID 1448 wrote to memory of 1280 1448 cmd.exe files.dat PID 1448 wrote to memory of 1280 1448 cmd.exe files.dat PID 1448 wrote to memory of 1280 1448 cmd.exe files.dat PID 1448 wrote to memory of 1280 1448 cmd.exe files.dat PID 1608 wrote to memory of 1536 1608 conhost.exe schtasks.exe PID 1608 wrote to memory of 1536 1608 conhost.exe schtasks.exe PID 1608 wrote to memory of 1536 1608 conhost.exe schtasks.exe PID 1896 wrote to memory of 1096 1896 taskeng.exe conhost.exe PID 1896 wrote to memory of 1096 1896 taskeng.exe conhost.exe PID 1896 wrote to memory of 1096 1896 taskeng.exe conhost.exe PID 1896 wrote to memory of 1096 1896 taskeng.exe conhost.exe PID 1096 wrote to memory of 668 1096 conhost.exe schtasks.exe PID 1096 wrote to memory of 668 1096 conhost.exe schtasks.exe PID 1096 wrote to memory of 668 1096 conhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe"C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Setup.exeC:\Users\Admin\AppData\Roaming\Setup.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Roaming\files\files.datfiles.dat -y -pkmsauto4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1280 -
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1072
-
C:\Windows\system32\taskeng.exetaskeng.exe {8DA0E5D4-1AEE-4AE9-9D55-C5007A3412BA} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Creates scheduled task(s)
PID:668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
637481df32351129e60560d5a5c100b5
SHA1a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae
SHA2561f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
SHA512604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
cdcb2cb7f97e872d35848e152c62967c
SHA139d11d82ba260c04161f953bd3480f1c1bb4498e
SHA256c515618b3378a3846c56afdc9e1a1da1bf47e04331c366cc668bbdd18dc82c7b
SHA5127ec27fb2b151a43ab8d00f7a5a045e24470cc741c0aaaba8c2bbac1602d7619251503b13e3d0774c856edb9387d2b963c48e2e5f315c1f1960380af06fe09366
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\Users\Admin\AppData\Roaming\Setup.exeMD5
e4a514f71bc9e329c641beb89343bcac
SHA199dbb79944b2582e1d903acf3499572b8e9a6b86
SHA256f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d
SHA51289bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65
-
C:\Users\Admin\AppData\Roaming\Setup.exeMD5
e4a514f71bc9e329c641beb89343bcac
SHA199dbb79944b2582e1d903acf3499572b8e9a6b86
SHA256f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d
SHA51289bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\Users\Admin\AppData\Roaming\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\Users\Admin\AppData\Roaming\conhost.exe.manifestMD5
faa0a1da99c41ae839f47795e88ca4cf
SHA1d7b59374b1dd7ae8ff41e0f475716603fda5c803
SHA2569265c14584cbe0be261acb481af9e204bdfda799b45dab3aa04fe30cd348a663
SHA5126f8c5684e3f6ba63974384cc4d4adb0b8d5ecea2d132e1a2f9ab3030c789508e0faa165d1650708a46c52760b8a603f42ed8d366245430b2a54faf9fd1fd17b2
-
C:\Users\Admin\AppData\Roaming\files\files.datMD5
55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
C:\Users\Admin\AppData\Roaming\files\files.datMD5
55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
\Users\Admin\AppData\Roaming\Setup.exeMD5
e4a514f71bc9e329c641beb89343bcac
SHA199dbb79944b2582e1d903acf3499572b8e9a6b86
SHA256f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d
SHA51289bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65
-
\Users\Admin\AppData\Roaming\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
\Users\Admin\AppData\Roaming\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
memory/1096-70-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1568-54-0x0000000076771000-0x0000000076773000-memory.dmpFilesize
8KB
-
memory/1608-64-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB