b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a

Analysis

max time kernel
115s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
Size

78KB
MD5

128cc2228ba32b1ed2512226a5e7bf99
SHA1

16cd4a058914b612774135eaa4ef1dab80007e7e
SHA256

b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a
SHA512

1c6de9732892c2e24f0afed86cf5230ee731eeae82fde731053019f19ebaa3f745a7f8b558b786e44a3e656b7094e59ef7212226b1509c29ae4bb9479e3f2500

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp8373.tmp.exe

pid process

1208 tmp8373.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp8373.tmp.exe

pid process

1208 tmp8373.tmp.exe

pid	process
1208	tmp8373.tmp.exe

pid	process
1208	tmp8373.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe

pid	process
1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe

description pid process

Token: SeDebugPrivilege 1704 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe

description	pid	process
Token: SeDebugPrivilege	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exevbc.exe

description	pid	process	target process
PID 1704 wrote to memory of 2044	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	vbc.exe
PID 1704 wrote to memory of 2044	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	vbc.exe
PID 1704 wrote to memory of 2044	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	vbc.exe
PID 1704 wrote to memory of 2044	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	vbc.exe
PID 2044 wrote to memory of 2016	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2016	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2016	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2016	2044	vbc.exe	cvtres.exe
PID 1704 wrote to memory of 1208	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	tmp8373.tmp.exe
PID 1704 wrote to memory of 1208	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	tmp8373.tmp.exe
PID 1704 wrote to memory of 1208	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	tmp8373.tmp.exe
PID 1704 wrote to memory of 1208	1704	b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe	tmp8373.tmp.exe

C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
"C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jewj-a2e.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD876.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7BA.tmp"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:1208

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD876.tmp
Filesize
1KB

MD5
6040a4e2e89028e34dd6a9ddc02fa81b

SHA1
692e8413f101c69cf22219742790400e6be5f230

SHA256
db46b03ef9d909ab2a768548a1489bc8cb89ca5e969532499bf316d9d976a91c

SHA512
08e3540d511cdb328547461390f9be98f0a8b49d01b19cd130bf38bd39a2af36210844596858fff44e2cd55ef893ac571ece5d2750328e938062c13b9c84e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jewj-a2e.0.vb
Filesize
14KB

MD5
562f9c52155039e96bba3e3466d911f0

SHA1
bd8bc70c008bd9bc8765a0b1bead0fe7c753b320

SHA256
4acea0502a2e1a9aaaac84f7c4e8a2fa8a13aee018a51dabdcfe50f060f23856

SHA512
8e13e53e586d0e7802f5a4b016a542f98475442342f8097721e015208a460455b8b8cb9b88baf3f043112b8e84a3afcc653b8284a05c7b49094f11c47e0e326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jewj-a2e.cmdline
Filesize
266B

MD5
875db4a9768f04cab57a47eb0a103f2d

SHA1
afae0c44842dc4da870661e829b87c240d673313

SHA256
f8649c1dfa9b732f6b536b460f41d36eef69bc29b6bac7f0c2258dd04456b956

SHA512
3044841fd3d89c90a11d9188abb9a5f25e29df00ee05598a4c65e282428d601bf967fab2fea0d1bf38668ea7455226253e63c11c694eac957b37c10bead39703

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe
Filesize
78KB

MD5
940494d901bd3ada1bf34aaff01d0141

SHA1
2995c4375ee3b56643a3734d19c8de67dc24a738

SHA256
242a4926e9c4ed9da5c6e9df494790218e76225dcfbb277a56736babdbecb5ac

SHA512
bb4dd82ececc1a30afc64c79f58dd61a93a9379f1ea934ded899563b23a996302389bb42f1a95cbe3c56c0491a2ebfb5f1731052705c31d573915d401ae40e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe
Filesize
78KB

MD5
940494d901bd3ada1bf34aaff01d0141

SHA1
2995c4375ee3b56643a3734d19c8de67dc24a738

SHA256
242a4926e9c4ed9da5c6e9df494790218e76225dcfbb277a56736babdbecb5ac

SHA512
bb4dd82ececc1a30afc64c79f58dd61a93a9379f1ea934ded899563b23a996302389bb42f1a95cbe3c56c0491a2ebfb5f1731052705c31d573915d401ae40e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD7BA.tmp
Filesize
660B

MD5
c80be46959e6a84d6c4d1e583cbb8463

SHA1
90ed8c7d26990bf711080d2fd0554cacad0a3d70

SHA256
aa82a4124fe6351eec8fcea551257c272497d6a8e515dc891d2dd173f194cafd

SHA512
033b717b6158235e02a9aa1fabb075556ded617549a2cade6735657fd193b6b3ac9a4b4ba1aefea0eb812a6376caef4f29c0b6defba144f5a5200038df278186

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe
Filesize
78KB

MD5
940494d901bd3ada1bf34aaff01d0141

SHA1
2995c4375ee3b56643a3734d19c8de67dc24a738

SHA256
242a4926e9c4ed9da5c6e9df494790218e76225dcfbb277a56736babdbecb5ac

SHA512
bb4dd82ececc1a30afc64c79f58dd61a93a9379f1ea934ded899563b23a996302389bb42f1a95cbe3c56c0491a2ebfb5f1731052705c31d573915d401ae40e44

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8373.tmp.exe
Filesize
78KB

MD5
940494d901bd3ada1bf34aaff01d0141

SHA1
2995c4375ee3b56643a3734d19c8de67dc24a738

SHA256
242a4926e9c4ed9da5c6e9df494790218e76225dcfbb277a56736babdbecb5ac

SHA512
bb4dd82ececc1a30afc64c79f58dd61a93a9379f1ea934ded899563b23a996302389bb42f1a95cbe3c56c0491a2ebfb5f1731052705c31d573915d401ae40e44

Download Submit
memory/1208-66-0x0000000000000000-mapping.dmp

Download
memory/1208-69-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-55-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-54-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download