8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4

Analysis

max time kernel
207s
max time network
213s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Size

78KB
MD5

04d5e9376838e75f62c1e3f72036dcd4
SHA1

dc3c1eebe560105197c9c94a3f317a966381ce59
SHA256

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4
SHA512

de87d6a909b0e0e1a8ab8452f0bb652918ca2dfdfea31be65dbbc9871e7418b3cbc43f352979512b726a684bc3fe1de291ee2176f25b610277f7f931f377b8a6

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpD6C0.tmp.exe

pid process

2036 tmpD6C0.tmp.exe
Deletes itself 1 IoCs

Processes:

tmpD6C0.tmp.exe

pid process

2036 tmpD6C0.tmp.exe

pid	process
2036	tmpD6C0.tmp.exe

pid	process
2036	tmpD6C0.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

pid	process
828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

description pid process

Token: SeDebugPrivilege 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

description	pid	process
Token: SeDebugPrivilege	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exevbc.exe

description	pid	process	target process
PID 828 wrote to memory of 1224	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 828 wrote to memory of 1224	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 828 wrote to memory of 1224	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 828 wrote to memory of 1224	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	vbc.exe
PID 1224 wrote to memory of 1136	1224	vbc.exe	cvtres.exe
PID 1224 wrote to memory of 1136	1224	vbc.exe	cvtres.exe
PID 1224 wrote to memory of 1136	1224	vbc.exe	cvtres.exe
PID 1224 wrote to memory of 1136	1224	vbc.exe	cvtres.exe
PID 828 wrote to memory of 2036	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmpD6C0.tmp.exe
PID 828 wrote to memory of 2036	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmpD6C0.tmp.exe
PID 828 wrote to memory of 2036	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmpD6C0.tmp.exe
PID 828 wrote to memory of 2036	828	8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe	tmpD6C0.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
"C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf-fogdp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE11D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0EE.tmp"
3⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE11D.tmp
Filesize
1KB

MD5
64102b59bc5e4d43a72ca72c616ac951

SHA1
224ddda52cd1e63d4015a8b21fce4b7428c16471

SHA256
2559d40b81d9556c85dd7a603f6bd75e958eb66a22bb91d44cc529cdf4ba2a71

SHA512
a5d7a37c888234cb809af3f2b0a79b58e17072182b4c051e07074f75dc7c2d6cc7dcbd2926378769aa1a30ab7b361018e0fdf201674033ae5671760b769c486c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe
Filesize
78KB

MD5
9e91c8f57db0d177b29a1f37734744e8

SHA1
87af6fb02b2f1905367ae4ddb0dceb57336ebfc9

SHA256
3f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa

SHA512
c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe
Filesize
78KB

MD5
9e91c8f57db0d177b29a1f37734744e8

SHA1
87af6fb02b2f1905367ae4ddb0dceb57336ebfc9

SHA256
3f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa

SHA512
c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE0EE.tmp
Filesize
660B

MD5
c29c1b3ae4784f556d356e06e7f01ac9

SHA1
c5d485ecd00f2eedf77e2ce16c4d2e08149be101

SHA256
718c731faf40bdcbd8278240f7330f8da49831725d10e57311c1777c9048ab4e

SHA512
0f0d583b44863d1a2664c53b49935e0a8aa3c3fcc2eb451f1a2b9d1fa17fd1c291c0ebda977999f2a396fec5425b89f53a4a3a0bb0ea10961969eb310ba6dd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf-fogdp.0.vb
Filesize
15KB

MD5
6c4d9ce78ca3c86e82376dbbbf727502

SHA1
2b063fca8617b9ea4909a2253ce7afbfa5684510

SHA256
01eb53e2b74c438ec5eb28659d2ca88418fdfec19af2b3a8af560d0c5611308f

SHA512
b84dfc51907aaac5688283873cb8ad943c3723f5208c44c413ed538fcf1b738d7d833526bac9196ada496e4232cc8c8d4a80e10260a82a67018201e431d6afc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf-fogdp.cmdline
Filesize
266B

MD5
d57419b2d1111857c1ef7fbd25edc57f

SHA1
61b1ea6b61e23d162ced9288ab8acdb4a174061e

SHA256
d3d228280059c39d0b914be04f2a102595e75010b6ccb398fb873f7edcb9c9b7

SHA512
b58ef5e83ea51823f35de7344079d071e1c686696a818735d588a97df7f0d87a1ae68c0d3e082a420a076d26e04589bfc20f5d75c63b372aa533f54c75b149d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe
Filesize
78KB

MD5
9e91c8f57db0d177b29a1f37734744e8

SHA1
87af6fb02b2f1905367ae4ddb0dceb57336ebfc9

SHA256
3f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa

SHA512
c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe
Filesize
78KB

MD5
9e91c8f57db0d177b29a1f37734744e8

SHA1
87af6fb02b2f1905367ae4ddb0dceb57336ebfc9

SHA256
3f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa

SHA512
c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c

Download Submit
memory/828-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/828-55-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-60-0x0000000000000000-mapping.dmp

Download
memory/1224-56-0x0000000000000000-mapping.dmp

Download
memory/2036-66-0x0000000000000000-mapping.dmp

Download
memory/2036-69-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-70-0x00000000022E5000-0x00000000022F6000-memory.dmp

Filesize
68KB

Download