ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905

General

Target

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Size

1018KB
MD5

6ac52086b2353d329f2c6b96dfc4b2bd
SHA1

c9ab0a3a4c3439d15ad30a6ea0ad738296853b24
SHA256

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905
SHA512

c86f4ce9c915419fe4f43af577ac930413665e4ae9df7453047abe445a08f3910a2e7929d580ba57ecf694302e4f08949ca24278e5f463cc947f32036979f6ff

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

660 Decoder.exe
138024 systems32.exe

pid	process
660	Decoder.exe
138024	systems32.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\ProgramData\Decoder.exe	vmprotect
C:\ProgramData\Decoder.exe	vmprotect
behavioral1/memory/660-60-0x0000000000260000-0x0000000000292000-memory.dmp	vmprotect
C:\systems32_bit\systems32.exe	vmprotect
C:\systems32_bit\systems32.exe	vmprotect
behavioral1/memory/138024-72-0x0000000000C20000-0x0000000000C52000-memory.dmp	vmprotect

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

688 schtasks.exe
138116 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1324 timeout.exe
1584 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

660 Decoder.exe
138024 systems32.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org

pid	process
688	schtasks.exe
138116	schtasks.exe

pid	process
1324	timeout.exe
1584	timeout.exe

pid	process
660	Decoder.exe
138024	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exeDecoder.exesystems32.exe

description	pid	process
Token: SeDebugPrivilege	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Token: SeDebugPrivilege	660	Decoder.exe
Token: SeDebugPrivilege	138024	systems32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	process	target process
PID 1824 wrote to memory of 660	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	Decoder.exe
PID 1824 wrote to memory of 660	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	Decoder.exe
PID 1824 wrote to memory of 660	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	Decoder.exe
PID 1824 wrote to memory of 1708	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1824 wrote to memory of 1708	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1824 wrote to memory of 1708	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1824 wrote to memory of 1032	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1824 wrote to memory of 1032	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1824 wrote to memory of 1032	1824	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	cmd.exe
PID 1708 wrote to memory of 1324	1708	cmd.exe	timeout.exe
PID 1708 wrote to memory of 1324	1708	cmd.exe	timeout.exe
PID 1708 wrote to memory of 1324	1708	cmd.exe	timeout.exe
PID 1032 wrote to memory of 1584	1032	cmd.exe	timeout.exe
PID 1032 wrote to memory of 1584	1032	cmd.exe	timeout.exe
PID 1032 wrote to memory of 1584	1032	cmd.exe	timeout.exe
PID 660 wrote to memory of 688	660	Decoder.exe	schtasks.exe
PID 660 wrote to memory of 688	660	Decoder.exe	schtasks.exe
PID 660 wrote to memory of 688	660	Decoder.exe	schtasks.exe
PID 137100 wrote to memory of 138024	137100	taskeng.exe	systems32.exe
PID 137100 wrote to memory of 138024	137100	taskeng.exe	systems32.exe
PID 137100 wrote to memory of 138024	137100	taskeng.exe	systems32.exe
PID 138024 wrote to memory of 138116	138024	systems32.exe	schtasks.exe
PID 138024 wrote to memory of 138116	138024	systems32.exe	schtasks.exe
PID 138024 wrote to memory of 138116	138024	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
"C:\Users\Admin\AppData\Local\Temp\ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:688

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F00.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\taskeng.exe
taskeng.exe {3A18831A-F1DD-4787-916B-63D2FFFBE502} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:137100

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:138024

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:138116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\ProgramData\Decoder.exe
Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F00.tmp.cmd
Filesize
131B

MD5
0a15623b4a5b3ba1331220c1d1c465be

SHA1
d15a252f01d701bb6665d10265f646fb04193908

SHA256
49903886e7b7420ddda3aa394df07711918c92971867f6dd83d0b758360f50e6

SHA512
c76d9551f7e1d2704df1a8e73fa5132bed31d22e4a26fd9a7145a6379a78594574934666201e65f68f039fe5f070a0e7afdaadba7c6e955cf10470f990986934

Download Submit
C:\systems32_bit\systems32.exe
Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\systems32_bit\systems32.exe
Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
memory/660-57-0x0000000000000000-mapping.dmp

Download
memory/660-60-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/688-68-0x0000000000000000-mapping.dmp

Download
memory/1032-62-0x0000000000000000-mapping.dmp

Download
memory/1324-65-0x0000000000000000-mapping.dmp

Download
memory/1584-66-0x0000000000000000-mapping.dmp

Download
memory/1708-61-0x0000000000000000-mapping.dmp

Download
memory/1824-54-0x0000000000E10000-0x0000000000F14000-memory.dmp

Filesize
1.0MB

Download
memory/1824-56-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/1824-55-0x0000000000DA0000-0x0000000000E16000-memory.dmp

Filesize
472KB

Download
memory/138024-69-0x0000000000000000-mapping.dmp

Download
memory/138024-72-0x0000000000C20000-0x0000000000C52000-memory.dmp

Filesize
200KB

Download
memory/138116-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads