51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351

General

Target

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
Size

1.6MB
MD5

8dc37e79dea9c99664a8025a21870d3c
SHA1

b8b93e441f4d781412375f2844a3d3978ac03143
SHA256

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351
SHA512

b5d14b97406c5a2620e48025a661d28dbd37faa76e457904eb7bc66e31728025f99ad0a2536a187ee962cb24b7aa322d6eb8cb6ed41609c4c0ccf538a921b461

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4676-144-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-145-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-146-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-148-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-150-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-152-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4676-151-0x0000000001610000-0x000000000171E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Drops startup file 1 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

description	pid	process	target process
PID 3212 set thread context of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 2288 set thread context of 4652	2288	vbc.exe	vbc.exe
PID 4652 set thread context of 4676	4652	vbc.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

pid	process
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
4676	vbc.exe
4676	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe
2288	vbc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

pid	process
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

pid	process
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

2288 vbc.exe
4652 vbc.exe
4676 vbc.exe

pid	process
2288	vbc.exe
4652	vbc.exe
4676	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

description	pid	process	target process
PID 3036 wrote to memory of 3212	3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 3036 wrote to memory of 3212	3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 3036 wrote to memory of 3212	3036	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 3212 wrote to memory of 2288	3212	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 2288 wrote to memory of 4652	2288	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe
PID 4652 wrote to memory of 4676	4652	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
"C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
"C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.bin
Filesize
2.1MB

MD5
d9392092af829522204277d4a8f22b32

SHA1
ff89daaf06b0ccb1c4e83cd1233f384ba2d57b46

SHA256
a5b1fa5920470a29003e5ff35153cb0c2b705be3d967d5015b4d13b5e30bca70

SHA512
bef8a08cd3a3a85cfcbf7c585fa2f29f33203a0812f0903b4bc3a1fc97ee8d8884ea968cf13bfeb30b9df358967fa1ef545622379b097346510fdf0c8ccadadc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat
Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo
Filesize
3KB

MD5
5fae023d0f4d9d94bcdbf6b5581a71ca

SHA1
b6569e50b87b53c912430e8fe1dc1eda4192053e

SHA256
1ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2

SHA512
97718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c

Download Submit
memory/2288-157-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2288-133-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2288-132-0x0000000000000000-mapping.dmp

Download
memory/2288-137-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3212-130-0x0000000000000000-mapping.dmp

Download
memory/4652-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-138-0x0000000000000000-mapping.dmp

Download
memory/4652-139-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-140-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4676-145-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-148-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-150-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-152-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-151-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-146-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-144-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/4676-155-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/4676-156-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/4676-143-0x0000000000000000-mapping.dmp

Download
memory/4676-158-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads