3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c

Analysis

max time kernel
4294205s
max time network
133s
platform
windows7_x64
resource
win7-20220310-en
submitted
11-03-2022 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
Size

12.4MB
MD5

8d7bc30e8f1256b3a1a447e6cf8de012
SHA1

26e266cb7f8b5dc4826d487c1e3bbfe78dfdb87b
SHA256

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c
SHA512

6e44c6f3ee7614fb286daf80d14ab16d28a5aaca6edcc8db4ca421e991cc583189419271fb23860895726bc29211c8ead4b8edae253dfddaf4493139aa71b692

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Mono-Install.exeDecoder.exe

pid process

804 Mono-Install.exe
688 Decoder.exe

pid	process
804	Mono-Install.exe
688	Decoder.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
behavioral1/memory/804-63-0x00000000003C0000-0x000000000079A000-memory.dmp	vmprotect

Loads dropped DLL 4 IoCs

Processes:

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe

pid	process
1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1852 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Mono-Install.exe

description pid process

Token: SeDebugPrivilege 804 Mono-Install.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

pid	process
1852	timeout.exe

description	pid	process
Token: SeDebugPrivilege	804	Mono-Install.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exeMono-Install.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 804	1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 1988 wrote to memory of 804	1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 1988 wrote to memory of 804	1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 1988 wrote to memory of 804	1988	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 804 wrote to memory of 688	804	Mono-Install.exe	Decoder.exe
PID 804 wrote to memory of 688	804	Mono-Install.exe	Decoder.exe
PID 804 wrote to memory of 688	804	Mono-Install.exe	Decoder.exe
PID 804 wrote to memory of 688	804	Mono-Install.exe	Decoder.exe
PID 804 wrote to memory of 472	804	Mono-Install.exe	cmd.exe
PID 804 wrote to memory of 472	804	Mono-Install.exe	cmd.exe
PID 804 wrote to memory of 472	804	Mono-Install.exe	cmd.exe
PID 472 wrote to memory of 1852	472	cmd.exe	timeout.exe
PID 472 wrote to memory of 1852	472	cmd.exe	timeout.exe
PID 472 wrote to memory of 1852	472	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
"C:\Users\Admin\AppData\Local\Temp\3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

MD5
1c1818c3b332b2ef045ddb22abf1dbf9

SHA1
6d4bf4c4375465f6c47371ff542e9f9ed5798be6

SHA256
0314a3f57a790247db452c1100695503329e5c81e93859d9126a7d2cd788214c

SHA512
ca8c14d5dde9cc2641b537990ccc1d3754bf51b67c9410f0b0b8e9ef1ea9faa78807626d4d25c9e7d27700e876e389468ee57442e6f9eebfaffd111c045cc030

Download Submit
C:\ProgramData\Decoder.exe

MD5
1c1818c3b332b2ef045ddb22abf1dbf9

SHA1
6d4bf4c4375465f6c47371ff542e9f9ed5798be6

SHA256
0314a3f57a790247db452c1100695503329e5c81e93859d9126a7d2cd788214c

SHA512
ca8c14d5dde9cc2641b537990ccc1d3754bf51b67c9410f0b0b8e9ef1ea9faa78807626d4d25c9e7d27700e876e389468ee57442e6f9eebfaffd111c045cc030

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
memory/688-74-0x0000000000A60000-0x0000000000AAA000-memory.dmp

Filesize
296KB

Download
memory/688-73-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/804-62-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/804-67-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/804-69-0x000000001B890000-0x000000001B906000-memory.dmp

Filesize
472KB

Download
memory/804-68-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/804-66-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/804-63-0x00000000003C0000-0x000000000079A000-memory.dmp

Filesize
3.9MB

Download
memory/1988-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1988-55-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download