Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
18-07-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe
Resource
win7-20220715-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe
-
Size
291KB
-
MD5
3980243d51a4bcdbcfe35b7023ce62e4
-
SHA1
501e41381ce09c277b265c2ebef9db6e3b91ade1
-
SHA256
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008
-
SHA512
5eee744c4a364508c54f9188bc07eca2784df33bf5d528a56d9cd8795ddeabb3526cb3e41dd812a0b82869ef0ad68535b4fdfee79b6f27d3d12fcb197844af89
Malware Config
Extracted
Family
vulturi
C2
http://193.142.59.123:5050/gate
Attributes
-
c2_encryption_key
Bigmoney916
-
c2_user
root
Signatures
-
Vulturi payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-54-0x00000000011F0000-0x0000000001240000-memory.dmp family_vulturi -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1548 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exedescription pid Process Token: SeDebugPrivilege 2004 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.execmd.exedescription pid Process procid_target PID 2004 wrote to memory of 1548 2004 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe 27 PID 2004 wrote to memory of 1548 2004 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe 27 PID 2004 wrote to memory of 1548 2004 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe 27 PID 1548 wrote to memory of 1592 1548 cmd.exe 29 PID 1548 wrote to memory of 1592 1548 cmd.exe 29 PID 1548 wrote to memory of 1592 1548 cmd.exe 29 PID 1548 wrote to memory of 1596 1548 cmd.exe 30 PID 1548 wrote to memory of 1596 1548 cmd.exe 30 PID 1548 wrote to memory of 1596 1548 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1592
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
-
-