054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a

General

Target

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Size

78KB
MD5

00a5cb539ee1e451fd035c658f8b3cec
SHA1

a0cd23c3c67d184c789203ef60ba8c6f45b38204
SHA256

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a
SHA512

4dad74d7783123f125d4b0695c4b19019cd2f3b3a957c0983ed31ee009a7d94a2f87e860a3fe0f6c48fd72f1793101ec6e030dcf910eb8e46d3363bfafd7c8cd

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp1165.tmp.exe

pid process

4700 tmp1165.tmp.exe

pid	process
4700	tmp1165.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exetmp1165.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Token: SeDebugPrivilege	4700	tmp1165.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exevbc.exe

description	pid	process	target process
PID 4892 wrote to memory of 4320	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 4892 wrote to memory of 4320	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 4892 wrote to memory of 4320	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	vbc.exe
PID 4320 wrote to memory of 2248	4320	vbc.exe	cvtres.exe
PID 4320 wrote to memory of 2248	4320	vbc.exe	cvtres.exe
PID 4320 wrote to memory of 2248	4320	vbc.exe	cvtres.exe
PID 4892 wrote to memory of 4700	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmp1165.tmp.exe
PID 4892 wrote to memory of 4700	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmp1165.tmp.exe
PID 4892 wrote to memory of 4700	4892	054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe	tmp1165.tmp.exe

C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
"C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oetdhl-r.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5CD28FEA95548E386987DDC7784181.TMP"
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6C56.tmp
Filesize
1KB

MD5
4b03ee2ffd31039914f043d27b9ca635

SHA1
113981711df6b8e5d93126ed920ea4b003c8469c

SHA256
64ed5589dd4f5bfcc6fd44dcfc46c5c8030321d0ad667ffea7e510eb27024f9c

SHA512
670215aa47b2f6eb6649df0fd7ade65609e4dede253fb02b77a26bba69a9ba8084a3721dab5a4ce1b5096e31881aeeee2e1e2b609b019887ff16acf7d5c9371b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oetdhl-r.0.vb
Filesize
14KB

MD5
62bb8548e1640149dcb99ec50b12f939

SHA1
81470183737a2407efcb648d90e427486ba2ed93

SHA256
43b941aa5ed44f9951b11af22d371f208c6471cf2b000c03eededb1a0fb6bcc3

SHA512
d0f9b2200a255a8df576370febfa65954cfbaaf1a2c11bd276f7ba71300fd3da732f8d07eda38113b1a2c0bfb1f08764e03745664963063e8fb30be8c8d65916

Download Submit
C:\Users\Admin\AppData\Local\Temp\oetdhl-r.cmdline
Filesize
266B

MD5
0562089c23b17b1eeaac9ad7070bdfb0

SHA1
900bc071b851b237cc677c3a993b17f89b4ca125

SHA256
4675f456137ad75c6672cb948bac5d18d6a11c13a107a4235d4beb5010eed8e3

SHA512
cb810103272d31eaa03a33c6550f0bb9f50fe7cf98641309a9c212ec187d0e820bb41b9a45dc06b9f439307a117bb226eb76f4650abdc40b711a81e26ceb2a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe
Filesize
78KB

MD5
5373f33fa0248abd85fa9d5313fa1b79

SHA1
4188ad21771cea5bf575782549ee54708cd56e55

SHA256
4c3c3360fe477b7775551cea574ca04eb4494c61621ecec2f87bb82bb817e8b5

SHA512
d6c80136a04bb9bcf4b96c396789162494ec7ee4f1a24b2ef2ec1b34a1cfef46cb7e090267b3d547c342aa7754dfbb1ed991506b5b673a48686d4bd8bcd113b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe
Filesize
78KB

MD5
5373f33fa0248abd85fa9d5313fa1b79

SHA1
4188ad21771cea5bf575782549ee54708cd56e55

SHA256
4c3c3360fe477b7775551cea574ca04eb4494c61621ecec2f87bb82bb817e8b5

SHA512
d6c80136a04bb9bcf4b96c396789162494ec7ee4f1a24b2ef2ec1b34a1cfef46cb7e090267b3d547c342aa7754dfbb1ed991506b5b673a48686d4bd8bcd113b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5CD28FEA95548E386987DDC7784181.TMP
Filesize
660B

MD5
28dde9713f06138b451e810b6ed03bef

SHA1
b19df8d62e2ee38994c080e2510b0f58f47c365d

SHA256
3a8ebf0482828285c85489ecfe7fea7fc985bb0fb278535e084dfbf7cfdbd330

SHA512
3f5549e37064ed306a87eabdd9d1c4a97c4dceb50840bb9dd0048db52c1e7c0545dc416c3e17509ea9ae5896ba3b63cd83559d58ddd2046d4540c4ba100dba77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2248-135-0x0000000000000000-mapping.dmp

Download
memory/4320-131-0x0000000000000000-mapping.dmp

Download
memory/4700-139-0x0000000000000000-mapping.dmp

Download
memory/4700-141-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4892-130-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads