Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-07-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe
Resource
win7-20220715-en
General
-
Target
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe
-
Size
291KB
-
MD5
ccff73a120d6a999553a1e835db041f5
-
SHA1
570efb3ef55a5ef00e79a78b3e9d26c5d32d4508
-
SHA256
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae
-
SHA512
80905bf30b07d43b88ac790e22a57d38111010de913362e265e806395d49b59f2f07123aaef1c364bb89d70a59d8170da9d4fbe578c7d14c388d3403daad4953
Malware Config
Extracted
vulturi
http://192.168.1.2:5050/gate
-
c2_encryption_key
testkey
-
c2_user
root
Signatures
-
Vulturi payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1496-130-0x00000000008A0000-0x00000000008F0000-memory.dmp family_vulturi -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exedescription pid process Token: SeDebugPrivilege 1496 d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.execmd.exedescription pid process target process PID 1496 wrote to memory of 1140 1496 d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe cmd.exe PID 1496 wrote to memory of 1140 1496 d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe cmd.exe PID 1140 wrote to memory of 2140 1140 cmd.exe chcp.com PID 1140 wrote to memory of 2140 1140 cmd.exe chcp.com PID 1140 wrote to memory of 3476 1140 cmd.exe PING.EXE PID 1140 wrote to memory of 3476 1140 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\d67a671a38113fd35c9641e21986e3145b55cfed8145b1152f0ceb091f05d4ae.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1140-133-0x0000000000000000-mapping.dmp
-
memory/1496-130-0x00000000008A0000-0x00000000008F0000-memory.dmpFilesize
320KB
-
memory/1496-131-0x00007FFC6FAB0000-0x00007FFC70571000-memory.dmpFilesize
10.8MB
-
memory/1496-132-0x00007FFC6FAB0000-0x00007FFC70571000-memory.dmpFilesize
10.8MB
-
memory/1496-135-0x00007FFC6FAB0000-0x00007FFC70571000-memory.dmpFilesize
10.8MB
-
memory/2140-134-0x0000000000000000-mapping.dmp
-
memory/3476-136-0x0000000000000000-mapping.dmp