8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed

General

Target

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Size

78KB
MD5

01a27410a7f14cbe2069d62568a0df1c
SHA1

8e6badcd52ca775493b0c22bfb665af6a5fdc558
SHA256

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed
SHA512

58047d6b8162e7f5a635887151345df459b76b15f4da387b00c766c517ca05888189f22a183ce20ca60c11df3d353f0a1651bfb725491dbc4df29b6559f12486

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpC5F.tmp.exe

pid process

3632 tmpC5F.tmp.exe

pid	process
3632	tmpC5F.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpC5F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC5F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exetmpC5F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Token: SeDebugPrivilege	3632	tmpC5F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exevbc.exe

description	pid	process	target process
PID 552 wrote to memory of 2020	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 552 wrote to memory of 2020	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 552 wrote to memory of 2020	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	vbc.exe
PID 2020 wrote to memory of 3952	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 3952	2020	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 3952	2020	vbc.exe	cvtres.exe
PID 552 wrote to memory of 3632	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpC5F.tmp.exe
PID 552 wrote to memory of 3632	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpC5F.tmp.exe
PID 552 wrote to memory of 3632	552	8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe	tmpC5F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
"C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rp5it-oe.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB83B1F8516F846C991307ED4C4A27D2A.TMP"
3⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD906.tmp
Filesize
1KB

MD5
8015e648ce849329a352562a3a3bacc0

SHA1
97d54a9c62e578b460d2ac06ae31262eec50255a

SHA256
6fc74d36b15c4e96e5b64aeee454aae85e03ab634020b50ffd8736ef0cbfa663

SHA512
6503739ad473ce34753bb658de57687c64a8e4bd21534f1df238028ef30fc6d2e136b6c977497fe5fd09508725e16b2a0e97192dc685c548404002e1817e54b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp5it-oe.0.vb
Filesize
14KB

MD5
aa585f90cdf667d05101a7f6d14576b5

SHA1
2ac771f49487c0f6f3cf87e556b8acfbd28809d5

SHA256
31251761a73513ebda3986b93201f7b0c0210e8ac9c20772d6a1a60ac608cc79

SHA512
21f8be00cd2f3cd8575375e0891c3583a7b6793841ba51b9e5acdc5fb6180362b10149269a28d5f7ea039f27665f38025bfd1d2c8a77ad30ff141218954b3075

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp5it-oe.cmdline
Filesize
265B

MD5
ccc8355f5ae36a54b27c941224d1ae86

SHA1
b0aa32a7ad642ea2732eadcbeec6a3e42363d863

SHA256
40483797b0b9ca2449ef73ef3a85a0d8a80696591d117ebeb8df57d63edd7fa9

SHA512
808af7b12e47b9def1d499fb1dcead976f09cd3edfc42a56834439468fa83350458074dd6d95fc9ef0e535bd5f7509f1962315b1acc99272f64d59b4c4a4704e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe
Filesize
78KB

MD5
7c19ca7d9e0d6a9bea4327e3d34133e0

SHA1
961d2340e61de20852d4439a0b338a657891fbfc

SHA256
b97281ebc43cdf6c39e19b50975051201cc98d93a446b332bada2216adffe39b

SHA512
0ee139a84c19cd6f371ae994c5ce9653c624068308bfe58ce94832f639c03e3a0e4879d243926e8c1bb71077225ed1662c61191b5b11f747b500e5804ab5c3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe
Filesize
78KB

MD5
7c19ca7d9e0d6a9bea4327e3d34133e0

SHA1
961d2340e61de20852d4439a0b338a657891fbfc

SHA256
b97281ebc43cdf6c39e19b50975051201cc98d93a446b332bada2216adffe39b

SHA512
0ee139a84c19cd6f371ae994c5ce9653c624068308bfe58ce94832f639c03e3a0e4879d243926e8c1bb71077225ed1662c61191b5b11f747b500e5804ab5c3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB83B1F8516F846C991307ED4C4A27D2A.TMP
Filesize
660B

MD5
b61fc078fb035cd7b13c0b43cb5d7aa0

SHA1
402609acb1f12d55d1b33b261d7d4f99dc8fb503

SHA256
e217919c605a5ff7512700608adfa6ebf538d99c9398b1f24982617e4cba1888

SHA512
c4184c2be3b8c52255ed22f163d87b82ff710ea538ff7b3218c61c44a9970444f5f02ccfb64555c6c7655ffca85efed5e66211597e3bf4269cfa89133c312514

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/552-130-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/2020-131-0x0000000000000000-mapping.dmp

Download
memory/3632-139-0x0000000000000000-mapping.dmp

Download
memory/3632-141-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/3952-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads