Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe
Resource
win10v2004-20220414-en
General
-
Target
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe
-
Size
160KB
-
MD5
151e547c0bcd4f597ae577fc6f5c0905
-
SHA1
dadbc8ce69a363ef93b54cd8512d7b75dd96c13c
-
SHA256
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01
-
SHA512
7b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb
Malware Config
Extracted
tofsee
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mmvugsfh.exepid process 1896 mmvugsfh.exe -
Processes:
resource yara_rule behavioral1/memory/1880-55-0x0000000000400000-0x0000000000459000-memory.dmp upx \Users\Admin\mmvugsfh.exe upx \Users\Admin\mmvugsfh.exe upx C:\Users\Admin\mmvugsfh.exe upx behavioral1/memory/1896-63-0x0000000000400000-0x0000000000459000-memory.dmp upx C:\Users\Admin\mmvugsfh.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1140 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exepid process 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\mmvugsfh.exe\"" 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exemmvugsfh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum mmvugsfh.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 mmvugsfh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mmvugsfh.exedescription pid process target process PID 1896 set thread context of 1948 1896 mmvugsfh.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exemmvugsfh.exedescription pid process target process PID 1880 wrote to memory of 1896 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe mmvugsfh.exe PID 1880 wrote to memory of 1896 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe mmvugsfh.exe PID 1880 wrote to memory of 1896 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe mmvugsfh.exe PID 1880 wrote to memory of 1896 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe mmvugsfh.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1896 wrote to memory of 1948 1896 mmvugsfh.exe svchost.exe PID 1880 wrote to memory of 1140 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe cmd.exe PID 1880 wrote to memory of 1140 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe cmd.exe PID 1880 wrote to memory of 1140 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe cmd.exe PID 1880 wrote to memory of 1140 1880 22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe"C:\Users\Admin\AppData\Local\Temp\22cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\mmvugsfh.exe"C:\Users\Admin\mmvugsfh.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0731.bat" "2⤵
- Deletes itself
PID:1140
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302B
MD552d8521f40c050325d4725db55fa88e5
SHA1259e2b6b79b4c3fd6073d78cd968401b0de971e6
SHA2567bdaa203ed4e4035f0f6871a51dc19a1300fb7f06b6c162673f1c34a15748733
SHA512e86d26201f3ea1a24755209e66b0ba3e965db186029900ac23bc521ba9c91ce46631ff13ef78e79b6f35f70f0c60a4919f535b8805120ead2cde90b9fcea9ebf
-
Filesize
160KB
MD5151e547c0bcd4f597ae577fc6f5c0905
SHA1dadbc8ce69a363ef93b54cd8512d7b75dd96c13c
SHA25622cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01
SHA5127b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb
-
Filesize
160KB
MD5151e547c0bcd4f597ae577fc6f5c0905
SHA1dadbc8ce69a363ef93b54cd8512d7b75dd96c13c
SHA25622cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01
SHA5127b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb
-
Filesize
160KB
MD5151e547c0bcd4f597ae577fc6f5c0905
SHA1dadbc8ce69a363ef93b54cd8512d7b75dd96c13c
SHA25622cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01
SHA5127b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb
-
Filesize
160KB
MD5151e547c0bcd4f597ae577fc6f5c0905
SHA1dadbc8ce69a363ef93b54cd8512d7b75dd96c13c
SHA25622cbedd671eef5dad95001ae0ad11add173cfb11959dddff4f545f481d870e01
SHA5127b0d95a968f2d41a89fe1ba61305921910211263829faffb211cd95825489439c5c9fd19508dd0f788e993ce6a5caa5abd711301fcac7cfacbc0b4170ace4afb