0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

General

Target

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
Size

125KB
MD5

1672081c9a9a80b4f2f31e311958fa2c
SHA1

def154edfe4cb8465677ed3fd9fffe506a307caf
SHA256

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8
SHA512

ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

igfxTy.exe

pid process

2072 igfxTy.exe

pid	process
2072	igfxTy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe

Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igfxTry.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igfxTry.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exeigfxTy.exe

description	pid	process
Token: SeDebugPrivilege	1268	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
Token: SeDebugPrivilege	2072	igfxTy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exeigfxTy.exevbc.exe

description	pid	process	target process
PID 1268 wrote to memory of 2072	1268	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe	igfxTy.exe
PID 1268 wrote to memory of 2072	1268	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe	igfxTy.exe
PID 2072 wrote to memory of 3548	2072	igfxTy.exe	vbc.exe
PID 2072 wrote to memory of 3548	2072	igfxTy.exe	vbc.exe
PID 3548 wrote to memory of 3112	3548	vbc.exe	cvtres.exe
PID 3548 wrote to memory of 3112	3548	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
"C:\Users\Admin\AppData\Local\Temp\0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Roaming\igfxTy.exe
"C:\Users\Admin\AppData\Roaming\igfxTy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ook35q2j\ook35q2j.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B36169BE62D4B739DD7C36AB7EBB361.TMP"
4⤵
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F98.tmp
Filesize
1KB

MD5
adba8068f0845acf0014d0d3168ee88a

SHA1
571722b975773acb6e9717970fea3f00ba2b2df8

SHA256
a91e1fffe36f5c9b2a7debf531150e9ea129783a30b0e351087de567e45ad2f7

SHA512
ca6a4658d2c024bfd97743412aa56fff78d37b2444858d01f29e778dbe2ba4ffd09701767d9f701a74a8f472141e950fc226d14f2a1111f7f5bc4f2d8543d6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ook35q2j\ook35q2j.0.vb
Filesize
150B

MD5
de1cb7931f167cba871c26b1b87cfc57

SHA1
d0b314bb3c956581507b9e77e5ba79ce1a66f83b

SHA256
45210f7fb5d10fc4f290fb955c01155b5f06afd25032ac659441ecfc77eaaa63

SHA512
9b0701087661f8e1873a57f06b7b730331439b4ff8e5aa71023e41fec2642b766b27c703ebdaafd268963e4c1f0a832989bad9f5e14e7f38acd5ed4a8bb4e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\ook35q2j\ook35q2j.cmdline
Filesize
204B

MD5
c328b75cd35fa47813874b4fa347bc8c

SHA1
ed55e1d3b6cb1869475718b990bd67e61e22e040

SHA256
c6e5adf6f131c955c5d5abd8efa80276f8ad0320713098c52d8e3ffd3be3f89e

SHA512
57a5d3fe6ae3522b5da97ba5fb6cfaf7de4dac6e7ab7ce31814841ffdd8fcc91a07afce7eb667539f9d72eadc41d3da5f7d9b37b7da820a502e1e0615c88e178

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B36169BE62D4B739DD7C36AB7EBB361.TMP
Filesize
1KB

MD5
04602bf0a81f601887f55a9fabcfb1bf

SHA1
bb2dd4f4f6f5e8e9fafac6ad6a030c89bdc80817

SHA256
6725a8648301a9a9a40eda6b7ce2bdbaa908117bebe3f847792a76eaea15c334

SHA512
fdf211ac6a7830a6f067e387ad0ec382ae30d4cff09322365a26236654678b57317cf96beb2037f45886e66fd82a09925d92edc3d67c649992a510597578703b

Download Submit
C:\Users\Admin\AppData\Roaming\igfxTy.exe
Filesize
125KB

MD5
1672081c9a9a80b4f2f31e311958fa2c

SHA1
def154edfe4cb8465677ed3fd9fffe506a307caf

SHA256
0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

SHA512
ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Download Submit
C:\Users\Admin\AppData\Roaming\igfxTy.exe
Filesize
125KB

MD5
1672081c9a9a80b4f2f31e311958fa2c

SHA1
def154edfe4cb8465677ed3fd9fffe506a307caf

SHA256
0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

SHA512
ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Download Submit
memory/1268-131-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-132-0x000000001B6A0000-0x000000001B6A2000-memory.dmp

Filesize
8KB

Download
memory/1268-130-0x0000000000160000-0x0000000000186000-memory.dmp

Filesize
152KB

Download
memory/2072-133-0x0000000000000000-mapping.dmp

Download
memory/2072-136-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-137-0x0000000001580000-0x0000000001582000-memory.dmp

Filesize
8KB

Download
memory/3112-141-0x0000000000000000-mapping.dmp

Download
memory/3548-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads