Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-06-2022 21:29
Static task
static1
Behavioral task
behavioral1
Sample
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Resource
win10v2004-20220414-en
General
-
Target
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
-
Size
78KB
-
MD5
b578bb6e52602f70bf2e7e46801a537d
-
SHA1
13f93888419a03e5a2572c2ceaa18ca335805359
-
SHA256
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e
-
SHA512
5aa66fce36f3c188c730e9cc18fab5e133061480b96f1f7e845353b9f6fc86466f39c0400aad7406f16ef5b60ae969d2fed252e74c09a9d94c911ba713b94caf
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp5A79.tmp.exepid process 2932 tmp5A79.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp5A79.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp5A79.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exetmp5A79.tmp.exedescription pid process Token: SeDebugPrivilege 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe Token: SeDebugPrivilege 2932 tmp5A79.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exevbc.exedescription pid process target process PID 2304 wrote to memory of 1332 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe vbc.exe PID 2304 wrote to memory of 1332 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe vbc.exe PID 2304 wrote to memory of 1332 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe vbc.exe PID 1332 wrote to memory of 1652 1332 vbc.exe cvtres.exe PID 1332 wrote to memory of 1652 1332 vbc.exe cvtres.exe PID 1332 wrote to memory of 1652 1332 vbc.exe cvtres.exe PID 2304 wrote to memory of 2932 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe tmp5A79.tmp.exe PID 2304 wrote to memory of 2932 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe tmp5A79.tmp.exe PID 2304 wrote to memory of 2932 2304 70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe tmp5A79.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe"C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A19DA88C1054F48BED1E71AEE75FC7.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5CAB.tmpFilesize
1KB
MD5f3dcbb4bf8c9bbb00799e7166d9d99cc
SHA12d444677e8556d99e76c1681aa7c813b8f290e7b
SHA2562adb06616b4d3043a83d975e7a785172a7a89e999a2f36c5971e7d1368f75bcd
SHA512344767c1c06ad1207a680e661f5110862a1df51b3c4268968e92c69bf4c173b1e875b628f4dabe350fc25a58c74cb471ad1a2a17f4daf7e725c0abde34c06981
-
C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exeFilesize
78KB
MD59ac03fbf0842c3423188a9c9dac0502e
SHA161d28a9893267023654ddccbd588f6730301c71f
SHA2560cda4180411b4f867822f13b86c669acd79c11554bf8a86591371238789ec1b1
SHA512f1af7edd40ad3ec991edd012d2bafb62cbbc78755f028650d860b95efee1e8206fb9a7b5461665ab9d44f51cef30e235dcfc6356790ca6c0ba5db4aabc7cc6f4
-
C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exeFilesize
78KB
MD59ac03fbf0842c3423188a9c9dac0502e
SHA161d28a9893267023654ddccbd588f6730301c71f
SHA2560cda4180411b4f867822f13b86c669acd79c11554bf8a86591371238789ec1b1
SHA512f1af7edd40ad3ec991edd012d2bafb62cbbc78755f028650d860b95efee1e8206fb9a7b5461665ab9d44f51cef30e235dcfc6356790ca6c0ba5db4aabc7cc6f4
-
C:\Users\Admin\AppData\Local\Temp\vbc2A19DA88C1054F48BED1E71AEE75FC7.TMPFilesize
660B
MD52fc44362b4cb610a7839ff955236a766
SHA186dfbdde9614a8dd89601289c0935bca2e4801e8
SHA2568a8ef9653372442bbb24529821ad39111e74c68e3bf946c80f97cc2fb671b498
SHA512a71680eb7fd93ad3aa66029fe4bfb06ac5a936885dbf5c675e38f4dcd778fcd4efbe0c665dd58aaf0aac1405c5e9384b1c39a3d13c34120398853b4911862fb6
-
C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.0.vbFilesize
14KB
MD5ef14860be94cd90ddce30d1a33bfba40
SHA17ba223e4cb990c32e9fecf300bfdf2639fafc051
SHA2560df43194b68227e3e1ccea18ad0575b4eb2c8e33aefcc5ee04008ae902784ee8
SHA5128355d52fd7af3c215e54fe8d19dbceef33e3d02bcafc49ad47bcc50116479aea8650643aeb03a13ed9aca487b97f250ee581769244240ea72ccea6a05fe18804
-
C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.cmdlineFilesize
266B
MD5145f2d0c084d138f0b3d24d79e728a3d
SHA1da025f6a90ac9968d90c8059a80b8cc61e19b19c
SHA2569b4bdd7c5f61108a70a671dc3cce4f39f80258bdfa81066fbb755082ad7a58fe
SHA51213b42d970705cf1fe34201de1a07d93c200a90cd7ceda44347bc5a02ecb2da5096bcd5ddc4236b0c7cd9a60f7507f83437bf9bb715a9f8f47950e195108dc370
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1332-131-0x0000000000000000-mapping.dmp
-
memory/1652-135-0x0000000000000000-mapping.dmp
-
memory/2304-130-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/2304-141-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/2932-139-0x0000000000000000-mapping.dmp
-
memory/2932-142-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/2932-143-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB