281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-06-2022 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Size

78KB
MD5

c9f4e2314818da2b06658920b8a1eb83
SHA1

3b8b409fd7321aa8453c59e5dd99c1665622ab5c
SHA256

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0
SHA512

b047082b905b3be99090a26ec12354fbdf1bc0cca6263a9982575047784d0eab641ca1d842a1491ca54ff9d255e700931faef53ceb67fe405cc4cf64ae3c8987

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

tmp9A2.tmp.exe

pid process

1432 tmp9A2.tmp.exe

pid	process
1432	tmp9A2.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

pid	process
2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

description pid process

Token: SeDebugPrivilege 2024 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

description	pid	process
Token: SeDebugPrivilege	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exevbc.exe

description	pid	process	target process
PID 2024 wrote to memory of 1336	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 2024 wrote to memory of 1336	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 2024 wrote to memory of 1336	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 2024 wrote to memory of 1336	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	vbc.exe
PID 1336 wrote to memory of 1080	1336	vbc.exe	cvtres.exe
PID 1336 wrote to memory of 1080	1336	vbc.exe	cvtres.exe
PID 1336 wrote to memory of 1080	1336	vbc.exe	cvtres.exe
PID 1336 wrote to memory of 1080	1336	vbc.exe	cvtres.exe
PID 2024 wrote to memory of 1432	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmp9A2.tmp.exe
PID 2024 wrote to memory of 1432	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmp9A2.tmp.exe
PID 2024 wrote to memory of 1432	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmp9A2.tmp.exe
PID 2024 wrote to memory of 1432	2024	281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe	tmp9A2.tmp.exe

C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
"C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB09.tmp"
3⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
2⤵
- Executes dropped EXE
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0A.tmp
Filesize
1KB

MD5
ea9c2e15101cbc45b4e501c9abeb0c65

SHA1
36a8b16ba70b696ddc2116b4eb01230e34d45d7b

SHA256
010061b0b77e4b1057c6b7d509988a717e139d8b803708e1591716b6ae0f9749

SHA512
c6a39baf968541c5dd21048508c880ebe0197d9c534334a0cf683e279fbf17450d8170e68b7296cc55e860c43faa6de08f3c346846deef4784b10fd9e19adb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.0.vb
Filesize
15KB

MD5
cc19733c8c4e2ff32e96eb6d2131d25f

SHA1
3a630a181aa0ad26ed4827620d4ebbb9baaade2f

SHA256
0973240b07265ba8886c13e1b17d6d8bd6eb197b72c1d4013d0bc409e6d361ad

SHA512
7c0ae9b97c3ba494be5aaa399f8a4bebbb3216fb8b23a8ff22733408127f32efecc0eb52a3b17112a1673b6fea55e26fe676a200cd1aefe41672b7a9986af4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqm_rf8h.cmdline
Filesize
265B

MD5
83f0e8bfd6011c66ff77846d5c38f586

SHA1
3ccda23b7a8435668d8302914b9f49992350ba93

SHA256
d729e9975835c8fc3d47906851df2330f25dccd88967e22d6a58e0979229d052

SHA512
201c2d6c4be1fcc824f47f41365d593186b50ce2327db4d2c9015617835bc081b013b5290c745007c97b826b56bec2fa9b9976f1536b832277a0e064012fa5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe
Filesize
78KB

MD5
519a94bee378503a6937bb352eb22b4f

SHA1
cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd

SHA256
6ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1

SHA512
18ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe
Filesize
78KB

MD5
519a94bee378503a6937bb352eb22b4f

SHA1
cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd

SHA256
6ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1

SHA512
18ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB09.tmp
Filesize
660B

MD5
da81dcaf165b0c94095b3e0651b0c70a

SHA1
624ffe073d78dd8317e77aa0bc35276bb407adc8

SHA256
def7338e8e66bdda99baae8365c3966f636b4c973e9e5bdfe8d742ff5f770869

SHA512
953169e5cf5bd9990fbe2abb9297517491b9a63b3a8c606a134e7ae2cd8c635b252a6d6ef8afbc7e74243297e910187b3a643d3d526c4a3e09737b153b73c34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe
Filesize
78KB

MD5
519a94bee378503a6937bb352eb22b4f

SHA1
cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd

SHA256
6ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1

SHA512
18ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp9A2.tmp.exe
Filesize
78KB

MD5
519a94bee378503a6937bb352eb22b4f

SHA1
cfd8a52fe77b8c80a876ea5809a03094c3d4f1fd

SHA256
6ef8f67d6d8696d5159fedff2cd7e38d84f2cca599e5199bf85bb2511ce7b6d1

SHA512
18ecdba09b89672f3662c23215bf3b98391afcc28aa66945eeb81d8a11bd5ec1b3998f3dba259a5045eaf9cb1fda8e1e59104df3686d2a39c2b21336196b65a6

Download Submit
memory/1080-59-0x0000000000000000-mapping.dmp

Download
memory/1336-55-0x0000000000000000-mapping.dmp

Download
memory/1432-65-0x0000000000000000-mapping.dmp

Download
memory/1432-69-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1432-70-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1432-71-0x0000000000B75000-0x0000000000B86000-memory.dmp

Filesize
68KB

Download
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/2024-68-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download