Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Resource
win10v2004-20220414-en
General
-
Target
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
-
Size
78KB
-
MD5
c9f4e2314818da2b06658920b8a1eb83
-
SHA1
3b8b409fd7321aa8453c59e5dd99c1665622ab5c
-
SHA256
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0
-
SHA512
b047082b905b3be99090a26ec12354fbdf1bc0cca6263a9982575047784d0eab641ca1d842a1491ca54ff9d255e700931faef53ceb67fe405cc4cf64ae3c8987
Malware Config
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp9A2.tmp.exepid process 1432 tmp9A2.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exepid process 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exedescription pid process Token: SeDebugPrivilege 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exevbc.exedescription pid process target process PID 2024 wrote to memory of 1336 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 2024 wrote to memory of 1336 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 2024 wrote to memory of 1336 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 2024 wrote to memory of 1336 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 1336 wrote to memory of 1080 1336 vbc.exe cvtres.exe PID 1336 wrote to memory of 1080 1336 vbc.exe cvtres.exe PID 1336 wrote to memory of 1080 1336 vbc.exe cvtres.exe PID 1336 wrote to memory of 1080 1336 vbc.exe cvtres.exe PID 2024 wrote to memory of 1432 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmp9A2.tmp.exe PID 2024 wrote to memory of 1432 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmp9A2.tmp.exe PID 2024 wrote to memory of 1432 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmp9A2.tmp.exe PID 2024 wrote to memory of 1432 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmp9A2.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB09.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB0A.tmpFilesize
1KB
MD5ea9c2e15101cbc45b4e501c9abeb0c65
SHA136a8b16ba70b696ddc2116b4eb01230e34d45d7b
SHA256010061b0b77e4b1057c6b7d509988a717e139d8b803708e1591716b6ae0f9749
SHA512c6a39baf968541c5dd21048508c880ebe0197d9c534334a0cf683e279fbf17450d8170e68b7296cc55e860c43faa6de08f3c346846deef4784b10fd9e19adb68
-
C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.0.vbFilesize
15KB
MD5cc19733c8c4e2ff32e96eb6d2131d25f
SHA13a630a181aa0ad26ed4827620d4ebbb9baaade2f
SHA2560973240b07265ba8886c13e1b17d6d8bd6eb197b72c1d4013d0bc409e6d361ad
SHA5127c0ae9b97c3ba494be5aaa399f8a4bebbb3216fb8b23a8ff22733408127f32efecc0eb52a3b17112a1673b6fea55e26fe676a200cd1aefe41672b7a9986af4a8
-
C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.cmdlineFilesize
265B
MD583f0e8bfd6011c66ff77846d5c38f586
SHA13ccda23b7a8435668d8302914b9f49992350ba93
SHA256d729e9975835c8fc3d47906851df2330f25dccd88967e22d6a58e0979229d052
SHA512201c2d6c4be1fcc824f47f41365d593186b50ce2327db4d2c9015617835bc081b013b5290c745007c97b826b56bec2fa9b9976f1536b832277a0e064012fa5f4
-
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exeFilesize
78KB
MD5519a94bee378503a6937bb352eb22b4f
SHA1cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd
SHA2566ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1
SHA51218ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6
-
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exeFilesize
78KB
MD5519a94bee378503a6937bb352eb22b4f
SHA1cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd
SHA2566ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1
SHA51218ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6
-
C:\Users\Admin\AppData\Local\Temp\vbcB09.tmpFilesize
660B
MD5da81dcaf165b0c94095b3e0651b0c70a
SHA1624ffe073d78dd8317e77aa0bc35276bb407adc8
SHA256def7338e8e66bdda99baae8365c3966f636b4c973e9e5bdfe8d742ff5f770869
SHA512953169e5cf5bd9990fbe2abb9297517491b9a63b3a8c606a134e7ae2cd8c635b252a6d6ef8afbc7e74243297e910187b3a643d3d526c4a3e09737b153b73c34f
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exeFilesize
78KB
MD5519a94bee378503a6937bb352eb22b4f
SHA1cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd
SHA2566ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1
SHA51218ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6
-
\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exeFilesize
78KB
MD5519a94bee378503a6937bb352eb22b4f
SHA1cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd
SHA2566ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1
SHA51218ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6
-
memory/1080-59-0x0000000000000000-mapping.dmp
-
memory/1336-55-0x0000000000000000-mapping.dmp
-
memory/1432-65-0x0000000000000000-mapping.dmp
-
memory/1432-69-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/1432-70-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/1432-71-0x0000000000B75000-0x0000000000B86000-memory.dmpFilesize
68KB
-
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/2024-68-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB