70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e

General

Target

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Size

78KB
MD5

b578bb6e52602f70bf2e7e46801a537d
SHA1

13f93888419a03e5a2572c2ceaa18ca335805359
SHA256

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e
SHA512

5aa66fce36f3c188c730e9cc18fab5e133061480b96f1f7e845353b9f6fc86466f39c0400aad7406f16ef5b60ae969d2fed252e74c09a9d94c911ba713b94caf

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp5A79.tmp.exe

pid process

2932 tmp5A79.tmp.exe

pid	process
2932	tmp5A79.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp5A79.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp5A79.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exetmp5A79.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
Token: SeDebugPrivilege	2932	tmp5A79.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exevbc.exe

description	pid	process	target process
PID 2304 wrote to memory of 1332	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 2304 wrote to memory of 1332	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 2304 wrote to memory of 1332	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	vbc.exe
PID 1332 wrote to memory of 1652	1332	vbc.exe	cvtres.exe
PID 1332 wrote to memory of 1652	1332	vbc.exe	cvtres.exe
PID 1332 wrote to memory of 1652	1332	vbc.exe	cvtres.exe
PID 2304 wrote to memory of 2932	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp5A79.tmp.exe
PID 2304 wrote to memory of 2932	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp5A79.tmp.exe
PID 2304 wrote to memory of 2932	2304	70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe	tmp5A79.tmp.exe

C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
"C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A19DA88C1054F48BED1E71AEE75FC7.TMP"
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70171afab4fe82232238910e5c124e5ce7176c5a7716cc9671331302b056fb3e.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5CAB.tmp
Filesize
1KB

MD5
f3dcbb4bf8c9bbb00799e7166d9d99cc

SHA1
2d444677e8556d99e76c1681aa7c813b8f290e7b

SHA256
2adb06616b4d3043a83d975e7a785172a7a89e999a2f36c5971e7d1368f75bcd

SHA512
344767c1c06ad1207a680e661f5110862a1df51b3c4268968e92c69bf4c173b1e875b628f4dabe350fc25a58c74cb471ad1a2a17f4daf7e725c0abde34c06981

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe
Filesize
78KB

MD5
9ac03fbf0842c3423188a9c9dac0502e

SHA1
61d28a9893267023654ddccbd588f6730301c71f

SHA256
0cda4180411b4f867822f13b86c669acd79c11554bf8a86591371238789ec1b1

SHA512
f1af7edd40ad3ec991edd012d2bafb62cbbc78755f028650d860b95efee1e8206fb9a7b5461665ab9d44f51cef30e235dcfc6356790ca6c0ba5db4aabc7cc6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A79.tmp.exe
Filesize
78KB

MD5
9ac03fbf0842c3423188a9c9dac0502e

SHA1
61d28a9893267023654ddccbd588f6730301c71f

SHA256
0cda4180411b4f867822f13b86c669acd79c11554bf8a86591371238789ec1b1

SHA512
f1af7edd40ad3ec991edd012d2bafb62cbbc78755f028650d860b95efee1e8206fb9a7b5461665ab9d44f51cef30e235dcfc6356790ca6c0ba5db4aabc7cc6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A19DA88C1054F48BED1E71AEE75FC7.TMP
Filesize
660B

MD5
2fc44362b4cb610a7839ff955236a766

SHA1
86dfbdde9614a8dd89601289c0935bca2e4801e8

SHA256
8a8ef9653372442bbb24529821ad39111e74c68e3bf946c80f97cc2fb671b498

SHA512
a71680eb7fd93ad3aa66029fe4bfb06ac5a936885dbf5c675e38f4dcd778fcd4efbe0c665dd58aaf0aac1405c5e9384b1c39a3d13c34120398853b4911862fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.0.vb
Filesize
14KB

MD5
ef14860be94cd90ddce30d1a33bfba40

SHA1
7ba223e4cb990c32e9fecf300bfdf2639fafc051

SHA256
0df43194b68227e3e1ccea18ad0575b4eb2c8e33aefcc5ee04008ae902784ee8

SHA512
8355d52fd7af3c215e54fe8d19dbceef33e3d02bcafc49ad47bcc50116479aea8650643aeb03a13ed9aca487b97f250ee581769244240ea72ccea6a05fe18804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfg7cb-g.cmdline
Filesize
266B

MD5
145f2d0c084d138f0b3d24d79e728a3d

SHA1
da025f6a90ac9968d90c8059a80b8cc61e19b19c

SHA256
9b4bdd7c5f61108a70a671dc3cce4f39f80258bdfa81066fbb755082ad7a58fe

SHA512
13b42d970705cf1fe34201de1a07d93c200a90cd7ceda44347bc5a02ecb2da5096bcd5ddc4236b0c7cd9a60f7507f83437bf9bb715a9f8f47950e195108dc370

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1332-131-0x0000000000000000-mapping.dmp

Download
memory/1652-135-0x0000000000000000-mapping.dmp

Download
memory/2304-130-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/2304-141-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/2932-139-0x0000000000000000-mapping.dmp

Download
memory/2932-142-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/2932-143-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads