0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf

Analysis

max time kernel
155s
max time network
162s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-05-2022 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Size

78KB
MD5

049706e8f7a0c6b01a311664a87d2e36
SHA1

3cfb3a3d7601c6f47699da99f8d50069489934e0
SHA256

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf
SHA512

88dbbbeb8b2f982fff0d91266e9e61bac07b8bb7ae1ad0dfb0af7bb81ee16387c6a55cc4512c48a10d1a8d695c53d8c012315c18eda37f66ce4d876349245588

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp2F8A.tmp.exe

pid process

1060 tmp2F8A.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp2F8A.tmp.exe

pid process

1060 tmp2F8A.tmp.exe

pid	process
1060	tmp2F8A.tmp.exe

pid	process
1060	tmp2F8A.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe

pid	process
1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp2F8A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp2F8A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exetmp2F8A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Token: SeDebugPrivilege	1060	tmp2F8A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exevbc.exe

description	pid	process	target process
PID 1724 wrote to memory of 2044	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 1724 wrote to memory of 2044	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 1724 wrote to memory of 2044	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 1724 wrote to memory of 2044	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	vbc.exe
PID 2044 wrote to memory of 1312	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 1312	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 1312	2044	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 1312	2044	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1060	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp2F8A.tmp.exe
PID 1724 wrote to memory of 1060	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp2F8A.tmp.exe
PID 1724 wrote to memory of 1060	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp2F8A.tmp.exe
PID 1724 wrote to memory of 1060	1724	0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe	tmp2F8A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
"C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fv-zdpce.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3239.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3238.tmp"
3⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3239.tmp
Filesize
1KB

MD5
db715d2feb01cb6bf6ed865a2764658e

SHA1
2896a2c4043a8f3ef11341881fa083a8320f52da

SHA256
2258b04c28ac476f7ebf18d5aa6cafcac6e4288e8bc44c83f8cd2463bfd11446

SHA512
dee24d18584096206bced76e71b9acc09e73a607a3a5d07c0a15d466afbda2b622652b09df7c130e2db7ae9d366d309e25541fa0551341e0d13c6f2349576c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\fv-zdpce.0.vb
Filesize
14KB

MD5
82ba38b5277d1d50d270530d6c384565

SHA1
ce6f450ef0d7c67ff4f4ede65a31ef03b4e3cbc2

SHA256
bf6725b7e5f56311740de8adb0e2b796cbf2d564811c21c59d1c00e0a89b862c

SHA512
a707e28472d45e142a9cffa4c40f17baf2dd490dff8723007860a1a938d4f195f6dca839e679f71ba2e51839610171f8777adf8da64f8c6ef7199800f94983e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fv-zdpce.cmdline
Filesize
266B

MD5
a4e4499158b6ea31fd337565df5d5689

SHA1
91174c1145b86462368a5335144c84e7529904ed

SHA256
40e7bedeababee4d13004dcc92edee1304e7a617cf42e0df885888b94f3fb001

SHA512
919b6a45f847d0090f428a471532c19328c6107bdbff402b3d4c478eec90ddc84e9c1d317ad448686fde9dccdf055cbd5a692f05850e974f13c61cce610645a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe
Filesize
78KB

MD5
b5037daede9b93abe4dc8fe7d684964d

SHA1
21266d43c012e9a9ba935a9417a920d0731d710c

SHA256
97928419ed413edbdd813e130d8ee570a03afadbecda7455dd888c9bb51ed5f2

SHA512
5590c9e190fc4fcd7e67129b42ca29abe9d5f937f1dfcb63952004c4d490571bb21e3b29dc4530ccf6720982c0feebbcd5f6a2388c6bbbec0fe589e81052f3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe
Filesize
78KB

MD5
b5037daede9b93abe4dc8fe7d684964d

SHA1
21266d43c012e9a9ba935a9417a920d0731d710c

SHA256
97928419ed413edbdd813e130d8ee570a03afadbecda7455dd888c9bb51ed5f2

SHA512
5590c9e190fc4fcd7e67129b42ca29abe9d5f937f1dfcb63952004c4d490571bb21e3b29dc4530ccf6720982c0feebbcd5f6a2388c6bbbec0fe589e81052f3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3238.tmp
Filesize
660B

MD5
be011c954ef01bab9b8be96549cc2d34

SHA1
0919edf6b307b46dbc3d891d794aa5fdb724e46f

SHA256
6aef1f05ab9060c8ae0cc4c1501a1c407a033f9cd8f8ff3b191a5b8b971870c6

SHA512
0fb69d8542dc5f557bfef85b5dda5bfec4f79b84c84f273ba272fe912d24f7349ac7d93fa97da45db0d9ca349b509c5c87ccdfc397f9484ee7b1aedeef62fd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe
Filesize
78KB

MD5
b5037daede9b93abe4dc8fe7d684964d

SHA1
21266d43c012e9a9ba935a9417a920d0731d710c

SHA256
97928419ed413edbdd813e130d8ee570a03afadbecda7455dd888c9bb51ed5f2

SHA512
5590c9e190fc4fcd7e67129b42ca29abe9d5f937f1dfcb63952004c4d490571bb21e3b29dc4530ccf6720982c0feebbcd5f6a2388c6bbbec0fe589e81052f3eb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2F8A.tmp.exe
Filesize
78KB

MD5
b5037daede9b93abe4dc8fe7d684964d

SHA1
21266d43c012e9a9ba935a9417a920d0731d710c

SHA256
97928419ed413edbdd813e130d8ee570a03afadbecda7455dd888c9bb51ed5f2

SHA512
5590c9e190fc4fcd7e67129b42ca29abe9d5f937f1dfcb63952004c4d490571bb21e3b29dc4530ccf6720982c0feebbcd5f6a2388c6bbbec0fe589e81052f3eb

Download Submit
memory/1060-66-0x0000000000000000-mapping.dmp

Download
memory/1060-69-0x0000000073910000-0x0000000073EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-70-0x0000000000665000-0x0000000000676000-memory.dmp

Filesize
68KB

Download
memory/1312-60-0x0000000000000000-mapping.dmp

Download
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1724-57-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download