Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
submitted
18-07-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe
Resource
win7-20220715-en
General
-
Target
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe
-
Size
291KB
-
MD5
3980243d51a4bcdbcfe35b7023ce62e4
-
SHA1
501e41381ce09c277b265c2ebef9db6e3b91ade1
-
SHA256
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008
-
SHA512
5eee744c4a364508c54f9188bc07eca2784df33bf5d528a56d9cd8795ddeabb3526cb3e41dd812a0b82869ef0ad68535b4fdfee79b6f27d3d12fcb197844af89
Malware Config
Extracted
vulturi
http://193.142.59.123:5050/gate
-
c2_encryption_key
Bigmoney916
-
c2_user
root
Signatures
-
Vulturi payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-130-0x0000000000100000-0x0000000000150000-memory.dmp family_vulturi -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\Control Panel\International\Geo\Nation a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exedescription pid Process Token: SeDebugPrivilege 4064 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.execmd.exedescription pid Process procid_target PID 4064 wrote to memory of 4436 4064 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe 77 PID 4064 wrote to memory of 4436 4064 a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe 77 PID 4436 wrote to memory of 4584 4436 cmd.exe 79 PID 4436 wrote to memory of 4584 4436 cmd.exe 79 PID 4436 wrote to memory of 2532 4436 cmd.exe 80 PID 4436 wrote to memory of 2532 4436 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a5650e96f4ab48e6fcb43efc498f7ba9d9808d786d158d63712444ddcfeea008.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4584
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2532
-
-