348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806

Analysis

max time kernel
155s
max time network
196s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Size

78KB
MD5

0d9c2592b4c26d0442c9bd807979f66e
SHA1

af6180101e58fb4489c54fe8f78840a41e0e86fd
SHA256

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806
SHA512

5000a9a5a30f4ff638b153ebff11c3143c6b2de35b368f4e17f4c76088906980fa1293b70aa58eb604597375b23720d2644ad26f5042f35fd9573f349ad097ec

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp262.tmp.exe

pid process

1532 tmp262.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp262.tmp.exe

pid process

1532 tmp262.tmp.exe

pid	process
1532	tmp262.tmp.exe

pid	process
1532	tmp262.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe

pid	process
1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp262.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp262.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exetmp262.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Token: SeDebugPrivilege	1532	tmp262.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exevbc.exe

description	pid	process	target process
PID 1740 wrote to memory of 1580	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 1740 wrote to memory of 1580	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 1740 wrote to memory of 1580	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 1740 wrote to memory of 1580	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	vbc.exe
PID 1580 wrote to memory of 1660	1580	vbc.exe	cvtres.exe
PID 1580 wrote to memory of 1660	1580	vbc.exe	cvtres.exe
PID 1580 wrote to memory of 1660	1580	vbc.exe	cvtres.exe
PID 1580 wrote to memory of 1660	1580	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 1532	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp262.tmp.exe
PID 1740 wrote to memory of 1532	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp262.tmp.exe
PID 1740 wrote to memory of 1532	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp262.tmp.exe
PID 1740 wrote to memory of 1532	1740	348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe	tmp262.tmp.exe

C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
"C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b_uvhaoe.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39A.tmp"
3⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe" C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES39B.tmp
Filesize
1KB

MD5
aad33969e3f7b425c4ecb2bf9285cee5

SHA1
dd5ab406838e2c8bb3f9632bd10d0d5497a5ecb2

SHA256
5023922a80842865fa5f34cf16ee0ef353742bda1b3eb29300fd046fd77a14d7

SHA512
49ef21c688568a90f4f05f8fdeb21df76d23f789101737cce0a424370f47607b48aa3ab019b15ddce995f5920f634b05e6c51349170d41dd90e352e066c4bbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b_uvhaoe.0.vb
Filesize
14KB

MD5
58252e2b0bc4b86c4e923ea204c93cb5

SHA1
bee066bcace7ad5933a4705298cfecab4405d024

SHA256
be5da2ed4f158c3c9af5a197dbe11d625078e290522b39e30e9bb390cef3b841

SHA512
7f3901138f2ddb951a45906ef55654091a9076bcf380fa002d97f887d7652cd82c56f78ea88c26fbc987af9487422042e971fe8ecbbabff0fb89168c59295833

Download Submit
C:\Users\Admin\AppData\Local\Temp\b_uvhaoe.cmdline
Filesize
265B

MD5
a51274aa3ab0b7852cac7a3b0ceb3945

SHA1
95f837e262bbad676b9fd7758ea25718a22ede7b

SHA256
c966a75dac29ce973291252a9d2fdfe4c9c7cd40721f94992db330d4f9fbfb48

SHA512
b7165b7340bc4805a293f99b58dbb92dfb746626dd11945457b834d8fc18465fc7accd21180f2f8dadce0a9e24f62e80f1cf2e034acf935b0230278ffe7e768a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe
Filesize
78KB

MD5
c5103eee9e66502a32e0e8fbe43822fb

SHA1
5ff61fb7f1538014ea727805275e22d750fef2d4

SHA256
64e59022d802e516021ddfc23ed5124964950ccd76234c01c9d8b84408ef0118

SHA512
58047e828a7ae50b0ba8a480fbd53292f3d4ddf22c3b7176dcdc33dffd6e371e11f281038612ee52cb47d72fc40ba6152778327bfad6f03d5cb1fd9a6e7fc7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe
Filesize
78KB

MD5
c5103eee9e66502a32e0e8fbe43822fb

SHA1
5ff61fb7f1538014ea727805275e22d750fef2d4

SHA256
64e59022d802e516021ddfc23ed5124964950ccd76234c01c9d8b84408ef0118

SHA512
58047e828a7ae50b0ba8a480fbd53292f3d4ddf22c3b7176dcdc33dffd6e371e11f281038612ee52cb47d72fc40ba6152778327bfad6f03d5cb1fd9a6e7fc7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc39A.tmp
Filesize
660B

MD5
8e18e64d449153ef3114c52878647f3f

SHA1
fa98e9181f27246dd913c5c215a6495bca0e2d77

SHA256
77b72ce1ba1c544018a52c800bc4e890c939dc576d46481eb426696e9fa5bc7c

SHA512
2664cf5467e48238cfc72227ec731dea061d63a70c94c1d33ba8fb9484900610131cfef0d4c3cb4890abf57713dcbe5f28ee2c073897133d4fc440b7445aedc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe
Filesize
78KB

MD5
c5103eee9e66502a32e0e8fbe43822fb

SHA1
5ff61fb7f1538014ea727805275e22d750fef2d4

SHA256
64e59022d802e516021ddfc23ed5124964950ccd76234c01c9d8b84408ef0118

SHA512
58047e828a7ae50b0ba8a480fbd53292f3d4ddf22c3b7176dcdc33dffd6e371e11f281038612ee52cb47d72fc40ba6152778327bfad6f03d5cb1fd9a6e7fc7b1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp262.tmp.exe
Filesize
78KB

MD5
c5103eee9e66502a32e0e8fbe43822fb

SHA1
5ff61fb7f1538014ea727805275e22d750fef2d4

SHA256
64e59022d802e516021ddfc23ed5124964950ccd76234c01c9d8b84408ef0118

SHA512
58047e828a7ae50b0ba8a480fbd53292f3d4ddf22c3b7176dcdc33dffd6e371e11f281038612ee52cb47d72fc40ba6152778327bfad6f03d5cb1fd9a6e7fc7b1

Download Submit
memory/1532-66-0x0000000000000000-mapping.dmp

Download
memory/1532-69-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-70-0x0000000000A95000-0x0000000000AA6000-memory.dmp

Filesize
68KB

Download
memory/1580-55-0x0000000000000000-mapping.dmp

Download
memory/1660-59-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download