704f63330e41ba5e17d5c0628e755ac3acd41392b43d72ed951900eaf78141cd

Analysis

max time kernel
133s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
21-03-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

300KB
MD5

4f330209cb5f706da6ac858c06f9ef48
SHA1

703aae256afa3bc08683f2332a06d5e11dd147aa
SHA256

704f63330e41ba5e17d5c0628e755ac3acd41392b43d72ed951900eaf78141cd
SHA512

9afcb75544d24690c604f72e83205ec83c5641af45018c91f058ced29224b40cf356125ef3d1663d3891373a35e132ff92903c14009234779c9960f4486f65f6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vtqaxtgmvh.exe

pid process

1712 vtqaxtgmvh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1712	vtqaxtgmvh.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Purchase Order.exevtqaxtgmvh.exe

description	pid	process	target process
PID 1516 wrote to memory of 1712	1516	Purchase Order.exe	vtqaxtgmvh.exe
PID 1516 wrote to memory of 1712	1516	Purchase Order.exe	vtqaxtgmvh.exe
PID 1516 wrote to memory of 1712	1516	Purchase Order.exe	vtqaxtgmvh.exe
PID 1712 wrote to memory of 2056	1712	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1712 wrote to memory of 2056	1712	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1712 wrote to memory of 2056	1712	vtqaxtgmvh.exe	vtqaxtgmvh.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
3⤵
PID:2056

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
MD5
9ff62fb5ff9cc1db43014d8f97757ea1

SHA1
ed19dd461e40e148b05517ad16a452b5bb343b8c

SHA256
65876004185fce692dd7d8b3fc96709709016da8512620941c7258777a2f290e

SHA512
eba309f68f8343a473a5456d3576f47e9e0b2bca700c7ec708f881a37b271d3b82105986b7e9d3f08a7ecd18815308ed101840e808ad8db4c9e8448d2e12bf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sexe7r9y8uui17i
MD5
9a5a4519770c2494374f8a5822872150

SHA1
5d8967df139a43366f255905d5f399a355446753

SHA256
271c21840a10465c170c72233d38f2f7a5c6ba5a3db33be320a7524c6d85bc56

SHA512
233dba3d3a9922afa3bd7ae2b341d19a6422fa39c6d50387a8b4c28201b773842dc22d2ce26d31f90e7f7278bbe02ce97424b3f6d845ea0ac2463fd95521bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit