7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409

General

Target

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Size

78KB
MD5

1297acfc90c669e3c9da7431e54215e5
SHA1

7a421d63c3b8de639d97d77f20034d218f7068ff
SHA256

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409
SHA512

7ec6a5044b147e14cc34d7c02262cbd343f4b8eefa77e9a4a37be3d499e2121001f2793ae608fade69947cc7ed3b47f5369462b98a7b79614268e260e3a11fd5

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp26D1.tmp.exe

pid process

4436 tmp26D1.tmp.exe

pid	process
4436	tmp26D1.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp26D1.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp26D1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exetmp26D1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
Token: SeDebugPrivilege	4436	tmp26D1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exevbc.exe

description	pid	process	target process
PID 3052 wrote to memory of 4916	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 3052 wrote to memory of 4916	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 3052 wrote to memory of 4916	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	vbc.exe
PID 4916 wrote to memory of 4792	4916	vbc.exe	cvtres.exe
PID 4916 wrote to memory of 4792	4916	vbc.exe	cvtres.exe
PID 4916 wrote to memory of 4792	4916	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 4436	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmp26D1.tmp.exe
PID 3052 wrote to memory of 4436	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmp26D1.tmp.exe
PID 3052 wrote to memory of 4436	3052	7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe	tmp26D1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
"C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krgg--dm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4099F67BA25F4288B2987A644692FC5B.TMP"
3⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7efa7608414a5018d4ba2d970273bd445c6c80cf04b14a9177168ed6afdea409.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2848.tmp
Filesize
1KB

MD5
c8a626ab7b3c92a0b69ed43b1726db37

SHA1
ea89e1f8966eaa8f6c3d97b3046c6b0d9832d0a6

SHA256
e2ffd04c9afd6ba64ef00659e7486a78a1de0c09fe0b1774835297f01bc0c9f3

SHA512
460e7fe3ac00374e3be7d62fb6f6db95e646f308bea5ea998369e2412fbe6bcfa6cd17ca44957092d19ff377697e5c7a00697b73cf248b887e5527a7c57cf9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\krgg--dm.0.vb
Filesize
15KB

MD5
6217ab542cb6f4182077901636c73144

SHA1
92378cef6473909812fba5c10f2b996594339708

SHA256
a4971373d031a8df07f20cc2969da9dfff839151336d48902406f502ad3fc41a

SHA512
6f048c9da6bf3d4f0a91db299d1fd38d866b991e8337f4aba9d5fde348d39c2a66f9b5e33433e70ab062f4a6168ea8ee6cfeb1ddbc714e8ef14edc74886fac93

Download Submit
C:\Users\Admin\AppData\Local\Temp\krgg--dm.cmdline
Filesize
266B

MD5
60ec01603681d64f26ea43442d063e73

SHA1
0d545f88313550e22520512b96a87e31a2a98001

SHA256
d64c3b98200e8548dbf164a8d4e80bc8fa2d2854aa7a3066567025f82ba35d41

SHA512
80a84b2c1c25e49c65b27abb8d2728d6fc151deab81fa330f9a832ed4f06a550ec7be645aa72ba9008e48df43089d594f1aed870b331f5bfb4390a923ca72fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe
Filesize
78KB

MD5
c21583773cf609cb6af65a9efa6f6643

SHA1
932f691e3bc8c5df35033f5c8fcc2f798e9a4135

SHA256
40155e7d7c8b6eac83f268f9bbbfcd57ae6a5d02d4246849218aa3e02b8d3c4f

SHA512
edeb9de99bbf47dd090aac4e002de73ee2e221ae568c958daa041e00a5b42fdd8527be7f3e8e25d9ef7c3650fb7e259fdf8bcb2a74603ca091d0227064105268

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26D1.tmp.exe
Filesize
78KB

MD5
c21583773cf609cb6af65a9efa6f6643

SHA1
932f691e3bc8c5df35033f5c8fcc2f798e9a4135

SHA256
40155e7d7c8b6eac83f268f9bbbfcd57ae6a5d02d4246849218aa3e02b8d3c4f

SHA512
edeb9de99bbf47dd090aac4e002de73ee2e221ae568c958daa041e00a5b42fdd8527be7f3e8e25d9ef7c3650fb7e259fdf8bcb2a74603ca091d0227064105268

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4099F67BA25F4288B2987A644692FC5B.TMP
Filesize
660B

MD5
581af6022b7a7f36c8c3918f22768c2d

SHA1
c4fae89c1d91b156c3efe60ca0ed7f1df616696d

SHA256
2f85750c3aeb8f61fa4bd83a56ff88e3a7fa8dff4a480f2940678658caf6ccbb

SHA512
22c0462f5478c37f79769ab59aa4db63f35bb5995dcd3d6ad9e9c98fd1bef79d981fff4afae29669451dc72c41f37dcbc1f4048a20599aaa177e23f7d48997e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3052-130-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4436-139-0x0000000000000000-mapping.dmp

Download
memory/4436-141-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/4792-135-0x0000000000000000-mapping.dmp

Download
memory/4916-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads