Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 22:34
Behavioral task
behavioral1
Sample
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
Resource
win7-20220718-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
-
Size
59KB
-
MD5
a2c47f6ffe53125d0dc415d5850ca2b8
-
SHA1
2fd768534db11f92fbd55b085652bf39a08a0bea
-
SHA256
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002
-
SHA512
bbafc1c36217d1b7d52d8954118a4425752f87efd7d0cc4067c4338d86f19d54ab671ecdc42cec93d82d5612754e8797121e2f05b5bffe9899c7cf27ab9deba9
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
vaultconvert.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vaultconvert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vaultconvert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vaultconvert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 vaultconvert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
vaultconvert.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix vaultconvert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" vaultconvert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" vaultconvert.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
vaultconvert.exepid process 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe 1728 vaultconvert.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exepid process 3868 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exevaultconvert.exedescription pid process target process PID 3520 wrote to memory of 3868 3520 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 3520 wrote to memory of 3868 3520 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 3520 wrote to memory of 3868 3520 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 5040 wrote to memory of 1728 5040 vaultconvert.exe vaultconvert.exe PID 5040 wrote to memory of 1728 5040 vaultconvert.exe vaultconvert.exe PID 5040 wrote to memory of 1728 5040 vaultconvert.exe vaultconvert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe"C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe--9f5ded2d2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\vaultconvert.exe"C:\Windows\SysWOW64\vaultconvert.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vaultconvert.exe--7c6c69d32⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses