Analysis
-
max time kernel
215s -
max time network
254s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 21:39
Static task
static1
Behavioral task
behavioral1
Sample
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Resource
win10v2004-20220414-en
General
-
Target
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
-
Size
78KB
-
MD5
01a27410a7f14cbe2069d62568a0df1c
-
SHA1
8e6badcd52ca775493b0c22bfb665af6a5fdc558
-
SHA256
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed
-
SHA512
58047d6b8162e7f5a635887151345df459b76b15f4da387b00c766c517ca05888189f22a183ce20ca60c11df3d353f0a1651bfb725491dbc4df29b6559f12486
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpC5F.tmp.exepid process 3632 tmpC5F.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpC5F.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC5F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exetmpC5F.tmp.exedescription pid process Token: SeDebugPrivilege 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe Token: SeDebugPrivilege 3632 tmpC5F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exevbc.exedescription pid process target process PID 552 wrote to memory of 2020 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 552 wrote to memory of 2020 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 552 wrote to memory of 2020 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 2020 wrote to memory of 3952 2020 vbc.exe cvtres.exe PID 2020 wrote to memory of 3952 2020 vbc.exe cvtres.exe PID 2020 wrote to memory of 3952 2020 vbc.exe cvtres.exe PID 552 wrote to memory of 3632 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpC5F.tmp.exe PID 552 wrote to memory of 3632 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpC5F.tmp.exe PID 552 wrote to memory of 3632 552 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpC5F.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rp5it-oe.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB83B1F8516F846C991307ED4C4A27D2A.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESD906.tmpFilesize
1KB
MD58015e648ce849329a352562a3a3bacc0
SHA197d54a9c62e578b460d2ac06ae31262eec50255a
SHA2566fc74d36b15c4e96e5b64aeee454aae85e03ab634020b50ffd8736ef0cbfa663
SHA5126503739ad473ce34753bb658de57687c64a8e4bd21534f1df238028ef30fc6d2e136b6c977497fe5fd09508725e16b2a0e97192dc685c548404002e1817e54b4
-
C:\Users\Admin\AppData\Local\Temp\rp5it-oe.0.vbFilesize
14KB
MD5aa585f90cdf667d05101a7f6d14576b5
SHA12ac771f49487c0f6f3cf87e556b8acfbd28809d5
SHA25631251761a73513ebda3986b93201f7b0c0210e8ac9c20772d6a1a60ac608cc79
SHA51221f8be00cd2f3cd8575375e0891c3583a7b6793841ba51b9e5acdc5fb6180362b10149269a28d5f7ea039f27665f38025bfd1d2c8a77ad30ff141218954b3075
-
C:\Users\Admin\AppData\Local\Temp\rp5it-oe.cmdlineFilesize
265B
MD5ccc8355f5ae36a54b27c941224d1ae86
SHA1b0aa32a7ad642ea2732eadcbeec6a3e42363d863
SHA25640483797b0b9ca2449ef73ef3a85a0d8a80696591d117ebeb8df57d63edd7fa9
SHA512808af7b12e47b9def1d499fb1dcead976f09cd3edfc42a56834439468fa83350458074dd6d95fc9ef0e535bd5f7509f1962315b1acc99272f64d59b4c4a4704e
-
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exeFilesize
78KB
MD57c19ca7d9e0d6a9bea4327e3d34133e0
SHA1961d2340e61de20852d4439a0b338a657891fbfc
SHA256b97281ebc43cdf6c39e19b50975051201cc98d93a446b332bada2216adffe39b
SHA5120ee139a84c19cd6f371ae994c5ce9653c624068308bfe58ce94832f639c03e3a0e4879d243926e8c1bb71077225ed1662c61191b5b11f747b500e5804ab5c3a5
-
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.exeFilesize
78KB
MD57c19ca7d9e0d6a9bea4327e3d34133e0
SHA1961d2340e61de20852d4439a0b338a657891fbfc
SHA256b97281ebc43cdf6c39e19b50975051201cc98d93a446b332bada2216adffe39b
SHA5120ee139a84c19cd6f371ae994c5ce9653c624068308bfe58ce94832f639c03e3a0e4879d243926e8c1bb71077225ed1662c61191b5b11f747b500e5804ab5c3a5
-
C:\Users\Admin\AppData\Local\Temp\vbcB83B1F8516F846C991307ED4C4A27D2A.TMPFilesize
660B
MD5b61fc078fb035cd7b13c0b43cb5d7aa0
SHA1402609acb1f12d55d1b33b261d7d4f99dc8fb503
SHA256e217919c605a5ff7512700608adfa6ebf538d99c9398b1f24982617e4cba1888
SHA512c4184c2be3b8c52255ed22f163d87b82ff710ea538ff7b3218c61c44a9970444f5f02ccfb64555c6c7655ffca85efed5e66211597e3bf4269cfa89133c312514
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
memory/552-130-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/2020-131-0x0000000000000000-mapping.dmp
-
memory/3632-139-0x0000000000000000-mapping.dmp
-
memory/3632-141-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/3952-135-0x0000000000000000-mapping.dmp