Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 11:58
Static task
static1
Behavioral task
behavioral1
Sample
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Resource
win10v2004-20220414-en
General
-
Target
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
-
Size
78KB
-
MD5
1297acfc90c669e3c9da7431e54215e5
-
SHA1
7a421d63c3b8de639d97d77f20034d218f7068ff
-
SHA256
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409
-
SHA512
7ec6a5044b147e14cc34d7c02262cbd343f4b8eefa77e9a4a37be3d499e2121001f2793ae608fade69947cc7ed3b47f5369462b98a7b79614268e260e3a11fd5
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp26D1.tmp.exepid process 4436 tmp26D1.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp26D1.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp26D1.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exetmp26D1.tmp.exedescription pid process Token: SeDebugPrivilege 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe Token: SeDebugPrivilege 4436 tmp26D1.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exevbc.exedescription pid process target process PID 3052 wrote to memory of 4916 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe vbc.exe PID 3052 wrote to memory of 4916 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe vbc.exe PID 3052 wrote to memory of 4916 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe vbc.exe PID 4916 wrote to memory of 4792 4916 vbc.exe cvtres.exe PID 4916 wrote to memory of 4792 4916 vbc.exe cvtres.exe PID 4916 wrote to memory of 4792 4916 vbc.exe cvtres.exe PID 3052 wrote to memory of 4436 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe tmp26D1.tmp.exe PID 3052 wrote to memory of 4436 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe tmp26D1.tmp.exe PID 3052 wrote to memory of 4436 3052 7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe tmp26D1.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe"C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krgg--dm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4099F67BA25F4288B2987A644692FC5B.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2848.tmpFilesize
1KB
MD5c8a626ab7b3c92a0b69ed43b1726db37
SHA1ea89e1f8966eaa8f6c3d97b3046c6b0d9832d0a6
SHA256e2ffd04c9afd6ba64ef00659e7486a78a1de0c09fe0b1774835297f01bc0c9f3
SHA512460e7fe3ac00374e3be7d62fb6f6db95e646f308bea5ea998369e2412fbe6bcfa6cd17ca44957092d19ff377697e5c7a00697b73cf248b887e5527a7c57cf9ff
-
C:\Users\Admin\AppData\Local\Temp\krgg--dm.0.vbFilesize
15KB
MD56217ab542cb6f4182077901636c73144
SHA192378cef6473909812fba5c10f2b996594339708
SHA256a4971373d031a8df07f20cc2969da9dfff839151336d48902406f502ad3fc41a
SHA5126f048c9da6bf3d4f0a91db299d1fd38d866b991e8337f4aba9d5fde348d39c2a66f9b5e33433e70ab062f4a6168ea8ee6cfeb1ddbc714e8ef14edc74886fac93
-
C:\Users\Admin\AppData\Local\Temp\krgg--dm.cmdlineFilesize
266B
MD560ec01603681d64f26ea43442d063e73
SHA10d545f88313550e22520512b96a87e31a2a98001
SHA256d64c3b98200e8548dbf164a8d4e80bc8fa2d2854aa7a3066567025f82ba35d41
SHA51280a84b2c1c25e49c65b27abb8d2728d6fc151deab81fa330f9a832ed4f06a550ec7be645aa72ba9008e48df43089d594f1aed870b331f5bfb4390a923ca72fb0
-
C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exeFilesize
78KB
MD5c21583773cf609cb6af65a9efa6f6643
SHA1932f691e3bc8c5df35033f5c8fcc2f798e9a4135
SHA25640155e7d7c8b6eac83f268f9bbbfcd57ae6a5d02d4246849218aa3e02b8d3c4f
SHA512edeb9de99bbf47dd090aac4e002de73ee2e221ae568c958daa041e00a5b42fdd8527be7f3e8e25d9ef7c3650fb7e259fdf8bcb2a74603ca091d0227064105268
-
C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exeFilesize
78KB
MD5c21583773cf609cb6af65a9efa6f6643
SHA1932f691e3bc8c5df35033f5c8fcc2f798e9a4135
SHA25640155e7d7c8b6eac83f268f9bbbfcd57ae6a5d02d4246849218aa3e02b8d3c4f
SHA512edeb9de99bbf47dd090aac4e002de73ee2e221ae568c958daa041e00a5b42fdd8527be7f3e8e25d9ef7c3650fb7e259fdf8bcb2a74603ca091d0227064105268
-
C:\Users\Admin\AppData\Local\Temp\vbc4099F67BA25F4288B2987A644692FC5B.TMPFilesize
660B
MD5581af6022b7a7f36c8c3918f22768c2d
SHA1c4fae89c1d91b156c3efe60ca0ed7f1df616696d
SHA2562f85750c3aeb8f61fa4bd83a56ff88e3a7fa8dff4a480f2940678658caf6ccbb
SHA51222c0462f5478c37f79769ab59aa4db63f35bb5995dcd3d6ad9e9c98fd1bef79d981fff4afae29669451dc72c41f37dcbc1f4048a20599aaa177e23f7d48997e1
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/3052-130-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/4436-139-0x0000000000000000-mapping.dmp
-
memory/4436-141-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/4792-135-0x0000000000000000-mapping.dmp
-
memory/4916-131-0x0000000000000000-mapping.dmp