Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-07-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe
Resource
win7-20220414-en
windows7-x64
5 signatures
150 seconds
General
-
Target
41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe
-
Size
291KB
-
MD5
f5c4755560853724cd144906222ea0e0
-
SHA1
08599b26cdd0f6e5e37a42b194ecee3390d199ef
-
SHA256
41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f
-
SHA512
ebfe4fcc477599dbe246759c13e9bf16fbdb72af579aaa0595c82fd335d2a6a3e73557d10c2b3a285eeed8d5a2d8e9b1f93caf64daf0c3a565314130cd22f076
Malware Config
Extracted
Family
vulturi
C2
http://xmarv.ddns.net:5050/gate
Attributes
-
c2_encryption_key
testxmarvel1
-
c2_user
root
Signatures
-
Vulturi payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-54-0x0000000001270000-0x00000000012C0000-memory.dmp family_vulturi -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2044 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exedescription pid Process Token: SeDebugPrivilege 1960 41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.execmd.exedescription pid Process procid_target PID 1960 wrote to memory of 2044 1960 41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe 27 PID 1960 wrote to memory of 2044 1960 41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe 27 PID 1960 wrote to memory of 2044 1960 41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe 27 PID 2044 wrote to memory of 2028 2044 cmd.exe 29 PID 2044 wrote to memory of 2028 2044 cmd.exe 29 PID 2044 wrote to memory of 2028 2044 cmd.exe 29 PID 2044 wrote to memory of 2008 2044 cmd.exe 30 PID 2044 wrote to memory of 2008 2044 cmd.exe 30 PID 2044 wrote to memory of 2008 2044 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe"C:\Users\Admin\AppData\Local\Temp\41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\41974493fb3bc56d1f4f9224adcf02a7adb179adf827425b6f2f29c4ab6dec3f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2028
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
-
-