Analysis
-
max time kernel
207s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Resource
win10v2004-20220414-en
General
-
Target
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
-
Size
78KB
-
MD5
04d5e9376838e75f62c1e3f72036dcd4
-
SHA1
dc3c1eebe560105197c9c94a3f317a966381ce59
-
SHA256
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4
-
SHA512
de87d6a909b0e0e1a8ab8452f0bb652918ca2dfdfea31be65dbbc9871e7418b3cbc43f352979512b726a684bc3fe1de291ee2176f25b610277f7f931f377b8a6
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpD6C0.tmp.exepid process 2036 tmpD6C0.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmpD6C0.tmp.exepid process 2036 tmpD6C0.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exepid process 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exedescription pid process Token: SeDebugPrivilege 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exevbc.exedescription pid process target process PID 828 wrote to memory of 1224 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 828 wrote to memory of 1224 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 828 wrote to memory of 1224 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 828 wrote to memory of 1224 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 1224 wrote to memory of 1136 1224 vbc.exe cvtres.exe PID 1224 wrote to memory of 1136 1224 vbc.exe cvtres.exe PID 1224 wrote to memory of 1136 1224 vbc.exe cvtres.exe PID 1224 wrote to memory of 1136 1224 vbc.exe cvtres.exe PID 828 wrote to memory of 2036 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmpD6C0.tmp.exe PID 828 wrote to memory of 2036 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmpD6C0.tmp.exe PID 828 wrote to memory of 2036 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmpD6C0.tmp.exe PID 828 wrote to memory of 2036 828 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmpD6C0.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf-fogdp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE11D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0EE.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESE11D.tmpFilesize
1KB
MD564102b59bc5e4d43a72ca72c616ac951
SHA1224ddda52cd1e63d4015a8b21fce4b7428c16471
SHA2562559d40b81d9556c85dd7a603f6bd75e958eb66a22bb91d44cc529cdf4ba2a71
SHA512a5d7a37c888234cb809af3f2b0a79b58e17072182b4c051e07074f75dc7c2d6cc7dcbd2926378769aa1a30ab7b361018e0fdf201674033ae5671760b769c486c
-
C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exeFilesize
78KB
MD59e91c8f57db0d177b29a1f37734744e8
SHA187af6fb02b2f1905367ae4ddb0dceb57336ebfc9
SHA2563f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa
SHA512c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c
-
C:\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exeFilesize
78KB
MD59e91c8f57db0d177b29a1f37734744e8
SHA187af6fb02b2f1905367ae4ddb0dceb57336ebfc9
SHA2563f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa
SHA512c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c
-
C:\Users\Admin\AppData\Local\Temp\vbcE0EE.tmpFilesize
660B
MD5c29c1b3ae4784f556d356e06e7f01ac9
SHA1c5d485ecd00f2eedf77e2ce16c4d2e08149be101
SHA256718c731faf40bdcbd8278240f7330f8da49831725d10e57311c1777c9048ab4e
SHA5120f0d583b44863d1a2664c53b49935e0a8aa3c3fcc2eb451f1a2b9d1fa17fd1c291c0ebda977999f2a396fec5425b89f53a4a3a0bb0ea10961969eb310ba6dd7e
-
C:\Users\Admin\AppData\Local\Temp\xf-fogdp.0.vbFilesize
15KB
MD56c4d9ce78ca3c86e82376dbbbf727502
SHA12b063fca8617b9ea4909a2253ce7afbfa5684510
SHA25601eb53e2b74c438ec5eb28659d2ca88418fdfec19af2b3a8af560d0c5611308f
SHA512b84dfc51907aaac5688283873cb8ad943c3723f5208c44c413ed538fcf1b738d7d833526bac9196ada496e4232cc8c8d4a80e10260a82a67018201e431d6afc8
-
C:\Users\Admin\AppData\Local\Temp\xf-fogdp.cmdlineFilesize
266B
MD5d57419b2d1111857c1ef7fbd25edc57f
SHA161b1ea6b61e23d162ced9288ab8acdb4a174061e
SHA256d3d228280059c39d0b914be04f2a102595e75010b6ccb398fb873f7edcb9c9b7
SHA512b58ef5e83ea51823f35de7344079d071e1c686696a818735d588a97df7f0d87a1ae68c0d3e082a420a076d26e04589bfc20f5d75c63b372aa533f54c75b149d6
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exeFilesize
78KB
MD59e91c8f57db0d177b29a1f37734744e8
SHA187af6fb02b2f1905367ae4ddb0dceb57336ebfc9
SHA2563f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa
SHA512c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c
-
\Users\Admin\AppData\Local\Temp\tmpD6C0.tmp.exeFilesize
78KB
MD59e91c8f57db0d177b29a1f37734744e8
SHA187af6fb02b2f1905367ae4ddb0dceb57336ebfc9
SHA2563f123429f3dad7e8b55357c6dd0846a54ce1b548740a4da743526457902215fa
SHA512c051b7fbb83277acf06eb3b96f64c915f594dbd19f894ea40174daa814d0ff2e44bf1ed04cc9f7f8f47047a9a678c03f14cdb1145f1928b0919b4616b16bc74c
-
memory/828-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/828-55-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/1136-60-0x0000000000000000-mapping.dmp
-
memory/1224-56-0x0000000000000000-mapping.dmp
-
memory/2036-66-0x0000000000000000-mapping.dmp
-
memory/2036-69-0x0000000074860000-0x0000000074E0B000-memory.dmpFilesize
5.7MB
-
memory/2036-70-0x00000000022E5000-0x00000000022F6000-memory.dmpFilesize
68KB