General
Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Filesize

384KB

Completed

05-04-2022 12:20

Task

behavioral2

Score
8/10
MD5

5ac0f050f93f86e69026faea1fbb4450

SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571

SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

SHA256

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    VBhEu.exe

    Reported IOCs

    pidprocess
    4768VBhEu.exe
  • Checks computer location settings
    VBhEu.exe23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\NationVBhEu.exe
    Key value queried\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\VBhEu.exe"reg.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    VBhEu.exe

    Reported IOCs

    pidprocess
    4768VBhEu.exe
    4768VBhEu.exe
  • Suspicious use of AdjustPrivilegeToken
    VBhEu.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4768VBhEu.exe
  • Suspicious use of WriteProcessMemory
    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeVBhEu.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4540 wrote to memory of 4768454023f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeVBhEu.exe
    PID 4540 wrote to memory of 4768454023f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeVBhEu.exe
    PID 4768 wrote to memory of 47444768VBhEu.execmd.exe
    PID 4768 wrote to memory of 47444768VBhEu.execmd.exe
    PID 4768 wrote to memory of 26364768VBhEu.exesihost.exe
    PID 4744 wrote to memory of 25044744cmd.exereg.exe
    PID 4744 wrote to memory of 25044744cmd.exereg.exe
    PID 4768 wrote to memory of 26844768VBhEu.exesvchost.exe
    PID 4768 wrote to memory of 27804768VBhEu.exetaskhostw.exe
    PID 4768 wrote to memory of 84768VBhEu.exesvchost.exe
    PID 4768 wrote to memory of 32444768VBhEu.exeDllHost.exe
Processes 9
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3244
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    PID:8
  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:2780
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:2684
  • C:\Windows\system32\sihost.exe
    sihost.exe
    PID:2636
  • C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
    "C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:4540
    • C:\users\Public\VBhEu.exe
      "C:\users\Public\VBhEu.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\VBhEu.exe" /f
        Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\VBhEu.exe" /f
          Adds Run key to start application
          PID:2504
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Public\VBhEu.exe

                      MD5

                      31bd0f224e7e74eee2847f43aae23974

                      SHA1

                      92e331e1e8ad30538f38dd7ba31386afafa14a58

                      SHA256

                      8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                      SHA512

                      a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

                    • C:\users\Public\VBhEu.exe

                      MD5

                      31bd0f224e7e74eee2847f43aae23974

                      SHA1

                      92e331e1e8ad30538f38dd7ba31386afafa14a58

                      SHA256

                      8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                      SHA512

                      a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

                    • memory/2504-128-0x0000000000000000-mapping.dmp

                    • memory/2636-129-0x00007FF7B1BB0000-0x00007FF7B1F3E000-memory.dmp

                    • memory/4744-127-0x0000000000000000-mapping.dmp

                    • memory/4768-124-0x0000000000000000-mapping.dmp