Analysis
-
max time kernel
162s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-05-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Resource
win10v2004-20220414-en
General
-
Target
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
-
Size
78KB
-
MD5
00a5cb539ee1e451fd035c658f8b3cec
-
SHA1
a0cd23c3c67d184c789203ef60ba8c6f45b38204
-
SHA256
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a
-
SHA512
4dad74d7783123f125d4b0695c4b19019cd2f3b3a957c0983ed31ee009a7d94a2f87e860a3fe0f6c48fd72f1793101ec6e030dcf910eb8e46d3363bfafd7c8cd
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp1165.tmp.exepid process 4700 tmp1165.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exetmp1165.tmp.exedescription pid process Token: SeDebugPrivilege 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe Token: SeDebugPrivilege 4700 tmp1165.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exevbc.exedescription pid process target process PID 4892 wrote to memory of 4320 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 4892 wrote to memory of 4320 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 4892 wrote to memory of 4320 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 4320 wrote to memory of 2248 4320 vbc.exe cvtres.exe PID 4320 wrote to memory of 2248 4320 vbc.exe cvtres.exe PID 4320 wrote to memory of 2248 4320 vbc.exe cvtres.exe PID 4892 wrote to memory of 4700 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmp1165.tmp.exe PID 4892 wrote to memory of 4700 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmp1165.tmp.exe PID 4892 wrote to memory of 4700 4892 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmp1165.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oetdhl-r.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5CD28FEA95548E386987DDC7784181.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6C56.tmpFilesize
1KB
MD54b03ee2ffd31039914f043d27b9ca635
SHA1113981711df6b8e5d93126ed920ea4b003c8469c
SHA25664ed5589dd4f5bfcc6fd44dcfc46c5c8030321d0ad667ffea7e510eb27024f9c
SHA512670215aa47b2f6eb6649df0fd7ade65609e4dede253fb02b77a26bba69a9ba8084a3721dab5a4ce1b5096e31881aeeee2e1e2b609b019887ff16acf7d5c9371b
-
C:\Users\Admin\AppData\Local\Temp\oetdhl-r.0.vbFilesize
14KB
MD562bb8548e1640149dcb99ec50b12f939
SHA181470183737a2407efcb648d90e427486ba2ed93
SHA25643b941aa5ed44f9951b11af22d371f208c6471cf2b000c03eededb1a0fb6bcc3
SHA512d0f9b2200a255a8df576370febfa65954cfbaaf1a2c11bd276f7ba71300fd3da732f8d07eda38113b1a2c0bfb1f08764e03745664963063e8fb30be8c8d65916
-
C:\Users\Admin\AppData\Local\Temp\oetdhl-r.cmdlineFilesize
266B
MD50562089c23b17b1eeaac9ad7070bdfb0
SHA1900bc071b851b237cc677c3a993b17f89b4ca125
SHA2564675f456137ad75c6672cb948bac5d18d6a11c13a107a4235d4beb5010eed8e3
SHA512cb810103272d31eaa03a33c6550f0bb9f50fe7cf98641309a9c212ec187d0e820bb41b9a45dc06b9f439307a117bb226eb76f4650abdc40b711a81e26ceb2a02
-
C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exeFilesize
78KB
MD55373f33fa0248abd85fa9d5313fa1b79
SHA14188ad21771cea5bf575782549ee54708cd56e55
SHA2564c3c3360fe477b7775551cea574ca04eb4494c61621ecec2f87bb82bb817e8b5
SHA512d6c80136a04bb9bcf4b96c396789162494ec7ee4f1a24b2ef2ec1b34a1cfef46cb7e090267b3d547c342aa7754dfbb1ed991506b5b673a48686d4bd8bcd113b4
-
C:\Users\Admin\AppData\Local\Temp\tmp1165.tmp.exeFilesize
78KB
MD55373f33fa0248abd85fa9d5313fa1b79
SHA14188ad21771cea5bf575782549ee54708cd56e55
SHA2564c3c3360fe477b7775551cea574ca04eb4494c61621ecec2f87bb82bb817e8b5
SHA512d6c80136a04bb9bcf4b96c396789162494ec7ee4f1a24b2ef2ec1b34a1cfef46cb7e090267b3d547c342aa7754dfbb1ed991506b5b673a48686d4bd8bcd113b4
-
C:\Users\Admin\AppData\Local\Temp\vbcF5CD28FEA95548E386987DDC7784181.TMPFilesize
660B
MD528dde9713f06138b451e810b6ed03bef
SHA1b19df8d62e2ee38994c080e2510b0f58f47c365d
SHA2563a8ebf0482828285c85489ecfe7fea7fc985bb0fb278535e084dfbf7cfdbd330
SHA5123f5549e37064ed306a87eabdd9d1c4a97c4dceb50840bb9dd0048db52c1e7c0545dc416c3e17509ea9ae5896ba3b63cd83559d58ddd2046d4540c4ba100dba77
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/2248-135-0x0000000000000000-mapping.dmp
-
memory/4320-131-0x0000000000000000-mapping.dmp
-
memory/4700-139-0x0000000000000000-mapping.dmp
-
memory/4700-141-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4892-130-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB