085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

General

Target

085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
Size

1.0MB
MD5

630f1f1db8de6ebd3194537bcba93320
SHA1

e8d63e33bc211c4be7805401812b041c2b229ff7
SHA256

085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406
SHA512

c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	VGAuthService.exe

Loads dropped DLL 1 IoCs

pid	Process
1120	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe\:Zone.Identifier:$DATA	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1732	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	27
PID 1972 wrote to memory of 1732	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	27
PID 1972 wrote to memory of 1732	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	27
PID 1972 wrote to memory of 1732	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	27
PID 1972 wrote to memory of 896	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	29
PID 1972 wrote to memory of 896	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	29
PID 1972 wrote to memory of 896	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	29
PID 1972 wrote to memory of 896	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	29
PID 1972 wrote to memory of 1120	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	31
PID 1972 wrote to memory of 1120	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	31
PID 1972 wrote to memory of 1120	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	31
PID 1972 wrote to memory of 1120	1972	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	31
PID 1120 wrote to memory of 1316	1120	cmd.exe	33
PID 1120 wrote to memory of 1316	1120	cmd.exe	33
PID 1120 wrote to memory of 1316	1120	cmd.exe	33
PID 1120 wrote to memory of 1316	1120	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
"C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
  2⤵
  - NTFS ADS
  PID:896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
    3⤵
    - Executes dropped EXE
    PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
memory/1316-87-0x00000000748D0000-0x0000000074915000-memory.dmp

Filesize
276KB

Download
memory/1316-86-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1316-85-0x00000000748D0000-0x0000000074915000-memory.dmp

Filesize
276KB

Download
memory/1316-84-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1316-79-0x00000000002B0000-0x00000000003BA000-memory.dmp

Filesize
1.0MB

Download
memory/1972-62-0x0000000074600000-0x0000000074723000-memory.dmp

Filesize
1.1MB

Download
memory/1972-61-0x0000000074730000-0x00000000748C4000-memory.dmp

Filesize
1.6MB

Download
memory/1972-68-0x00000000742A0000-0x00000000745BB000-memory.dmp

Filesize
3.1MB

Download
memory/1972-69-0x000000006FC90000-0x00000000709AD000-memory.dmp

Filesize
13.1MB

Download
memory/1972-70-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-71-0x0000000074730000-0x00000000748C4000-memory.dmp

Filesize
1.6MB

Download
memory/1972-72-0x00000000718B0000-0x0000000072090000-memory.dmp

Filesize
7.9MB

Download
memory/1972-66-0x0000000070B50000-0x00000000718A6000-memory.dmp

Filesize
13.3MB

Download
memory/1972-64-0x00000000718B0000-0x0000000072090000-memory.dmp

Filesize
7.9MB

Download
memory/1972-63-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1972-54-0x00000000001E0000-0x00000000002EA000-memory.dmp

Filesize
1.0MB

Download
memory/1972-67-0x00000000745C0000-0x00000000745FB000-memory.dmp

Filesize
236KB

Download
memory/1972-60-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-59-0x0000000000370000-0x0000000000392000-memory.dmp

Filesize
136KB

Download
memory/1972-80-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1972-81-0x00000000748D0000-0x0000000074915000-memory.dmp

Filesize
276KB

Download
memory/1972-82-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-58-0x00000000748D0000-0x0000000074915000-memory.dmp

Filesize
276KB

Download
memory/1972-83-0x0000000074730000-0x00000000748C4000-memory.dmp

Filesize
1.6MB

Download
memory/1972-57-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1972-56-0x00000000748D0000-0x0000000074915000-memory.dmp

Filesize
276KB

Download
memory/1972-55-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download

Analysis

Sharing