6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5

Analysis

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-06-2022 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Size

78KB
MD5

0e8bd026f56f21cbd8a899387f20524a
SHA1

8b344cee89d25bb000d0f6d2f396c0d6507467e4
SHA256

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5
SHA512

faec15a510ddbb64162a58ce477afe806c6ddb35a91815580bf39092b9a6dde4d2da94c5b9c853d81c445a5bd8e8f37e614bb59330cd0bba3504729ec259b001

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp9C2.tmp.exe

pid process

1408 tmp9C2.tmp.exe

pid	process
1408	tmp9C2.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe

pid	process
880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp9C2.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9C2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exetmp9C2.tmp.exe

description	pid	process
Token: SeDebugPrivilege	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Token: SeDebugPrivilege	1408	tmp9C2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exevbc.exe

description	pid	process	target process
PID 880 wrote to memory of 964	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 880 wrote to memory of 964	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 880 wrote to memory of 964	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 880 wrote to memory of 964	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	vbc.exe
PID 964 wrote to memory of 1304	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 1304	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 1304	964	vbc.exe	cvtres.exe
PID 964 wrote to memory of 1304	964	vbc.exe	cvtres.exe
PID 880 wrote to memory of 1408	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp9C2.tmp.exe
PID 880 wrote to memory of 1408	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp9C2.tmp.exe
PID 880 wrote to memory of 1408	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp9C2.tmp.exe
PID 880 wrote to memory of 1408	880	6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe	tmp9C2.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
"C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g0rztrww.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB38.tmp"
3⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB49.tmp
Filesize
1KB

MD5
18a163b90b6956f22804d91492b7a074

SHA1
ca0532785659029b8ea9a24aebb0543a53a56fb8

SHA256
5cf71084971f4e2c2924cd992053709473a75fb9acdd33ddf9aea8f355bac3d9

SHA512
16fed3dc992e39c310762b4447e3ebbbe9daaa18f711acdc526bac00f3c1db2c54b08bcfee943aaf013a71820b06917c45d5d389a204d1171b9620c4de32e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\g0rztrww.0.vb
Filesize
15KB

MD5
1edd047e92fadfb6f1393e235f4f25c8

SHA1
60beab043eeb64ecf33dd6dd059289aaece37656

SHA256
d9c65fe9272fa857f02beb64e121d30d37355747d58fe49e1da9fc9dabc65cc3

SHA512
af60f5735a75ad16be6202f3ae3ecd5e6add314a1af60e65ed3f6021221042fd56bccc60fa2be3044c39f3e1d74d9b4f1cabed4aa0eaa296bdf94127deef7508

Download Submit
C:\Users\Admin\AppData\Local\Temp\g0rztrww.cmdline
Filesize
265B

MD5
f734e8bc229e1484fb5e235562659798

SHA1
305cc62d73017b4b182ea9f2830c1365464ea7c4

SHA256
0cc31a010a7ab924acddd71c24a79895cea2c870c85b6e3f4808f0f8d4ff5d54

SHA512
2c97bf1f9a028e53fa06fe8cbaab30160d2104f3893d3d2536a47c137e0e59fa67c4ecc71619ec9bd9ee8cddca9a8b1ef2f7c71b4fffa7e69abcbd1fcd210bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe
Filesize
78KB

MD5
0dda3c32bd8bdf7bf2b2073fbe00e555

SHA1
a209134e3a898b7368680891fde88a101b7f3b9a

SHA256
e7fc8274f57ec86f68d07e30caa55d7b41499a0374ad5bbefe983de3afa27521

SHA512
c8939411d9581aa215bfec31387fc677661e8a4125dd5004b477642ec70c4e86e5a2dad47123520c411b974e2cb05c963ea58e297db7868efe29a2f28be5a581

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe
Filesize
78KB

MD5
0dda3c32bd8bdf7bf2b2073fbe00e555

SHA1
a209134e3a898b7368680891fde88a101b7f3b9a

SHA256
e7fc8274f57ec86f68d07e30caa55d7b41499a0374ad5bbefe983de3afa27521

SHA512
c8939411d9581aa215bfec31387fc677661e8a4125dd5004b477642ec70c4e86e5a2dad47123520c411b974e2cb05c963ea58e297db7868efe29a2f28be5a581

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB38.tmp
Filesize
660B

MD5
7c64ea01e48af9e402d81d25d4de5086

SHA1
44594763a94ee0997495e8769a4f6c437ab15e09

SHA256
72403f02875c09071cf8007d611a180b20badcb01c3b820ffb1d1bc5d803ab57

SHA512
0931009f276fbda66eeae0560841783af1c6dfc1f108adc236c83766da8a6cffb5ab33febccd59b3f5aa9048fb955e2c0b31c28b3c3dd2f2dba737ccaba2765c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe
Filesize
78KB

MD5
0dda3c32bd8bdf7bf2b2073fbe00e555

SHA1
a209134e3a898b7368680891fde88a101b7f3b9a

SHA256
e7fc8274f57ec86f68d07e30caa55d7b41499a0374ad5bbefe983de3afa27521

SHA512
c8939411d9581aa215bfec31387fc677661e8a4125dd5004b477642ec70c4e86e5a2dad47123520c411b974e2cb05c963ea58e297db7868efe29a2f28be5a581

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9C2.tmp.exe
Filesize
78KB

MD5
0dda3c32bd8bdf7bf2b2073fbe00e555

SHA1
a209134e3a898b7368680891fde88a101b7f3b9a

SHA256
e7fc8274f57ec86f68d07e30caa55d7b41499a0374ad5bbefe983de3afa27521

SHA512
c8939411d9581aa215bfec31387fc677661e8a4125dd5004b477642ec70c4e86e5a2dad47123520c411b974e2cb05c963ea58e297db7868efe29a2f28be5a581

Download Submit
memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/880-68-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/1304-59-0x0000000000000000-mapping.dmp

Download
memory/1408-65-0x0000000000000000-mapping.dmp

Download
memory/1408-69-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-70-0x0000000002025000-0x0000000002036000-memory.dmp

Filesize
68KB

Download
memory/1408-71-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download