45f3b07fe66f65cac16b6765e83dbb1fa8a8370ccd18289a475a12d1997a023b

Analysis

max time kernel
49s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dota2mode.exe
Size

3.4MB
MD5

888d36190614310fbfc16548f3568e84
SHA1

238d4bc0cdc004c1c2be109058375e85f6342fc8
SHA256

d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92
SHA512

23852fddcbdc526bfeebd7fad33715553e155c3d16a9ae67b314da0f4678ae5fe761c6fa9894be3fe43b84666db29e08f7d77cdce5b27944e33cab3f53ab39f9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Rar.exemonvuibk.exeRar.exe

pid process

932 Rar.exe
824 monvuibk.exe
1520 Rar.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exemonvuibk.execmd.exe

pid process

104 cmd.exe
104 cmd.exe
104 cmd.exe
824 monvuibk.exe
1736 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1352 timeout.exe
364 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1632 taskkill.exe
1300 taskkill.exe
1760 taskkill.exe

pid	process
932	Rar.exe
824	monvuibk.exe
1520	Rar.exe

pid	process
104	cmd.exe
104	cmd.exe
104	cmd.exe
824	monvuibk.exe
1736	cmd.exe

pid	process
1352	timeout.exe
364	timeout.exe

pid	process
1632	taskkill.exe
1300	taskkill.exe
1760	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

monvuibk.exe

pid	process
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe
824	monvuibk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1632 taskkill.exe
Token: SeDebugPrivilege 1300 taskkill.exe
Token: SeDebugPrivilege 1760 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dota2mode.exeWScript.execmd.exe

description	pid	process	target process
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 904 wrote to memory of 608	904	Dota2mode.exe	WScript.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 608 wrote to memory of 104	608	WScript.exe	cmd.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1632	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1300	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1352	104	cmd.exe	timeout.exe
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 1664	104	cmd.exe	chcp.com
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 932	104	cmd.exe	Rar.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 1760	104	cmd.exe	taskkill.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 824	104	cmd.exe	monvuibk.exe
PID 104 wrote to memory of 364	104	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Dota2mode.exe
"C:\Users\Admin\AppData\Local\Temp\Dota2mode.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\sunshiqn\run.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\sunshiqn\pause.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1352

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1664

C:\sunshiqn\Rar.exe
"Rar.exe" e -p555 privat.rar
4⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\sunshiqn\monvuibk.exe
monvuibk.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\xnojklgq\omen.bat" "
5⤵
- Loads dropped DLL
PID:1736

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:1488

C:\xnojklgq\Rar.exe
"Rar.exe" c -zinfo.txt "plus.exe"
6⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
C:\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
C:\sunshiqn\pause.bat
Filesize
325B

MD5
fb085f47185862061fa2adb5acc58171

SHA1
5f91cf2e8bc109e20dbe97ab91d0b047a727e93b

SHA256
fec96179e59437ede713340e5686b681c107a0363e79c5c24045887f5e7d3e1b

SHA512
a2ac14d7e67fa5d13312141b76fbc11cd373dfb1499b7d575c80e4409334a4bb28523d31044003fd907e5e52ac5e5cc45377551b1d3b704b94b2de7de892e76e

Download Submit
C:\sunshiqn\privat.rar
Filesize
3.0MB

MD5
bcd1d52c65ff0c640681ef7f4b4dd701

SHA1
b3a364dda02cd50ebb7990b2bfee1779a001bd95

SHA256
c54c442cfc5b905a337c740e1008ada67158e22c1b780d39e0e7c5e90ab82750

SHA512
bd9f2033a337acfed85e500588814530f81ef299a241998ae20d4518b01d9094e7ec65f7da2bfbc6328b9a89fd90cdc9233e575274efd4db04269baf035526b8

Download Submit
C:\sunshiqn\run.vbs
Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\xnojklgq\info.txt
Filesize
142B

MD5
88cebd7e2150d2c3b0c6bff92766cebe

SHA1
a2f955ec6dca14621fa7242b3c7cec77fa349f21

SHA256
5ff39948360d11a40eb8fdcfdd0e31da86bb4018fad97745f570f9bebd159d38

SHA512
e0d2690e5ccaaad279ebb73c2ffc7ee3ca6fe0cbf3af3974df1124eb71fd00906a71819675a258a65411130cf0778ae7f5554d0b1b9be2a4dfd4c486a74597be

Download Submit
C:\xnojklgq\omen.bat
Filesize
78B

MD5
a15b61671e902fe28fb1bf7e459a7bdd

SHA1
694d542af6834fa4cbc81cc3b3a8a99d61378f5e

SHA256
d763ef51ee4520819f8021ebb138578ba3261aa8db5fcec7c69382cca95ff75f

SHA512
653ec95af8f6f73538b0cb8d0fe903267e56b1f1a7d810bff1f4dd5adf675ae2f5a55260b0bc41295b60052fe056b1acfa00c2a07121dd387eb7719997fa15f6

Download Submit
C:\xnojklgq\plus.exe
Filesize
253KB

MD5
ca106b2dd914c5f5b7c0b30e503e35d9

SHA1
0c072402d244612f45f9901a3a22726226a64e29

SHA256
b300747328bd15f160c5bc063e80a961ebf56f3efe2c14da0c51dcbb38b0a55b

SHA512
ee4afcfe7763c66d8a9f2eafa0bd889b0aa86ebaad18d817f23dc6240a214425837dc593dbed971a07a51455ca6911a5f777912687a56e0d8446db0a31664c0a

Download Submit
\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
memory/104-59-0x0000000000000000-mapping.dmp

Download
memory/364-83-0x0000000000000000-mapping.dmp

Download
memory/608-55-0x0000000000000000-mapping.dmp

Download
memory/824-80-0x0000000000000000-mapping.dmp

Download
memory/904-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/932-71-0x0000000000000000-mapping.dmp

Download
memory/1300-63-0x0000000000000000-mapping.dmp

Download
memory/1352-65-0x0000000000000000-mapping.dmp

Download
memory/1488-89-0x0000000000000000-mapping.dmp

Download
memory/1520-93-0x0000000000000000-mapping.dmp

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1664-67-0x0000000000000000-mapping.dmp

Download
memory/1736-86-0x0000000000000000-mapping.dmp

Download
memory/1760-75-0x0000000000000000-mapping.dmp

Download