eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7

Analysis

max time kernel
182s
max time network
209s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-05-2022 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Size

78KB
MD5

015b121254c946730c35060c7677e4f9
SHA1

f085f06f9034fee0f222dc3b173c1a5b1cd10b60
SHA256

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7
SHA512

7563d7410cdc80f2cb63c4c4d45c8636141af2f5ab870e17fb0c0f8ebed0032943c9144b0132da29390252d3a190baec8560ba350b73068dddddd04d35cf3a7d

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp1076.tmp.exe

pid process

108 tmp1076.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp1076.tmp.exe

pid process

108 tmp1076.tmp.exe

pid	process
108	tmp1076.tmp.exe

pid	process
108	tmp1076.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe

pid	process
972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp1076.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp1076.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exetmp1076.tmp.exe

description	pid	process
Token: SeDebugPrivilege	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Token: SeDebugPrivilege	108	tmp1076.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exevbc.exe

description	pid	process	target process
PID 972 wrote to memory of 1728	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 972 wrote to memory of 1728	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 972 wrote to memory of 1728	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 972 wrote to memory of 1728	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	vbc.exe
PID 1728 wrote to memory of 2028	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 2028	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 2028	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 2028	1728	vbc.exe	cvtres.exe
PID 972 wrote to memory of 108	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp1076.tmp.exe
PID 972 wrote to memory of 108	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp1076.tmp.exe
PID 972 wrote to memory of 108	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp1076.tmp.exe
PID 972 wrote to memory of 108	972	eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe	tmp1076.tmp.exe

C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
"C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d-pbwwqf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1354.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1343.tmp"
3⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1354.tmp
Filesize
1KB

MD5
7180cb929e8d3f1166fa13327639a3fa

SHA1
bd58fa777ca736e39350b079d37402ed35c839e8

SHA256
123772cafe424a82b302ee1bc306a67178acc633c9e9f8a94143ba33275310e2

SHA512
24e24d49c98de0d7304e9159c2abbf2999ea33f5cc0877e14f0de7ccebb464271ecbc073b5f1c96e61d5828f8af398745fea97b537d57878f7f42d23dab49e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-pbwwqf.0.vb
Filesize
14KB

MD5
925d2363547acabb4c37f1cd096216da

SHA1
1b94e122222bd84e19d017cc407a18c388493675

SHA256
e54354a29c3e5a97ec8033412b2164136ada13e92c6ab224e6f624affd5f679e

SHA512
c40a4614966c5b555dc79eee54716adaf3c33d2f639897553997c1d598ec8b31b5bae1cee679558bb542a63ded0de8ec907ed9a9a23c7b0bae9602a169b29cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-pbwwqf.cmdline
Filesize
266B

MD5
44fb71764613dd792a5cd953f9c8399d

SHA1
829feb4d3c6c67205c31d83aefc2d9547075b742

SHA256
85502113c4beee54ccf4a27790e87343ce3d56bbc09ad3fd36a8d671fbf1f60f

SHA512
2eb4b34f0d67dc6472d1edc3eefd8afaeb731522c1a2204a06a65552635fa5ba66d99ec96eb95942c5710e8da4cb0cdd641f13d4fd2fa1da8ce0d815add7546b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe
Filesize
78KB

MD5
2a93336470152c41cb5f3857ea876716

SHA1
445366abbefcced41335e3934fac5c4e1f54d6e2

SHA256
c37e2fb07b02bbc853541034f7e0a4991854eca65e6c812df4c357fcc7368055

SHA512
1057cc4f8f1965a1bf64e67b97323601373ee06f46adfd5f41625b3344383e9652d703e12da579b71785209909e9b2e0fca090945d1e9178bac48e45369158c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe
Filesize
78KB

MD5
2a93336470152c41cb5f3857ea876716

SHA1
445366abbefcced41335e3934fac5c4e1f54d6e2

SHA256
c37e2fb07b02bbc853541034f7e0a4991854eca65e6c812df4c357fcc7368055

SHA512
1057cc4f8f1965a1bf64e67b97323601373ee06f46adfd5f41625b3344383e9652d703e12da579b71785209909e9b2e0fca090945d1e9178bac48e45369158c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1343.tmp
Filesize
660B

MD5
feb2b91cc65e9896b276de34d198075d

SHA1
db846fc1a81b6e9d7c39c35ae3b73d52e1d6e776

SHA256
38aa0f673792d65ce082e4857790e6be6f1de9bb75e832d3bbbbef24d7d9c746

SHA512
09bda76384313cdd7948ba72c7663ba752430ce17a404135eaaf8e1646e1849a7416a45abd23a3e6944b991c4bea7b6a3b5be30f887b4a89e342f36f7dff03f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe
Filesize
78KB

MD5
2a93336470152c41cb5f3857ea876716

SHA1
445366abbefcced41335e3934fac5c4e1f54d6e2

SHA256
c37e2fb07b02bbc853541034f7e0a4991854eca65e6c812df4c357fcc7368055

SHA512
1057cc4f8f1965a1bf64e67b97323601373ee06f46adfd5f41625b3344383e9652d703e12da579b71785209909e9b2e0fca090945d1e9178bac48e45369158c0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1076.tmp.exe
Filesize
78KB

MD5
2a93336470152c41cb5f3857ea876716

SHA1
445366abbefcced41335e3934fac5c4e1f54d6e2

SHA256
c37e2fb07b02bbc853541034f7e0a4991854eca65e6c812df4c357fcc7368055

SHA512
1057cc4f8f1965a1bf64e67b97323601373ee06f46adfd5f41625b3344383e9652d703e12da579b71785209909e9b2e0fca090945d1e9178bac48e45369158c0

Download Submit
memory/108-66-0x0000000000000000-mapping.dmp

Download
memory/108-69-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/108-70-0x00000000002A5000-0x00000000002B6000-memory.dmp

Filesize
68KB

Download
memory/972-55-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/972-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1728-56-0x0000000000000000-mapping.dmp

Download
memory/2028-60-0x0000000000000000-mapping.dmp

Download