Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
18-07-2022 10:42
General
-
Target
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe
-
Size
291KB
-
MD5
ccff73a120d6a999553a1e835db041f5
-
SHA1
570efb3ef55a5ef00e79a78b3e9d26c5d32d4508
-
SHA256
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae
-
SHA512
80905bf30b07d43b88ac790e22a57d38111010de913362e265e806395d49b59f2f07123aaef1c364bb89d70a59d8170da9d4fbe578c7d14c388d3403daad4953
Score
10/10
Malware Config
Extracted
Family
vulturi
C2
http://192.168.1.2:5050/gate
Attributes
-
c2_encryption_key
testkey
-
c2_user
root
Signatures
-
Vulturi
An info stealer written in C# and first seen in January 2021.
-
Vulturi payload 1 IoCs
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
-
Filesize
8KB