8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
Size

261KB
MD5

f00b2c8bb2dce819f1f8d8cf17fbae18
SHA1

2a989c9e6404601630055b82668c0af9a6aef2c3
SHA256

8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c
SHA512

bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb
SSDEEP

6144:/gLWwMfpMS+3nsFJRMgWrIgAcCSo3UroHsFDwBUpQ:NbheKJRMrESo3U0Hsa62

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	vindows.exe
1992	vindows.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vindows = "C:\\Windows\\vindows.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vindows = "C:\\Windows\\vindows.exe"	regedit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1116 set thread context of 1992	1116	vindows.exe	36

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vindows.reg	vindows.exe
File created	C:\Windows\vindows.reg	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
File created	C:\Windows\vindows.exe	cmd.exe
File opened for modification	C:\Windows\vindows.exe	cmd.exe
File opened for modification	C:\Windows\vindows.exe	vindows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
916	regedit.exe
924	regedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
1116	vindows.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1092 wrote to memory of 1072	1092	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	27
PID 1072 wrote to memory of 1648	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	30
PID 1072 wrote to memory of 1648	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	30
PID 1072 wrote to memory of 1648	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	30
PID 1072 wrote to memory of 1648	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	30
PID 1072 wrote to memory of 532	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	32
PID 1072 wrote to memory of 532	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	32
PID 1072 wrote to memory of 532	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	32
PID 1072 wrote to memory of 532	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	32
PID 1648 wrote to memory of 916	1648	cmd.exe	34
PID 1648 wrote to memory of 916	1648	cmd.exe	34
PID 1648 wrote to memory of 916	1648	cmd.exe	34
PID 1648 wrote to memory of 916	1648	cmd.exe	34
PID 1072 wrote to memory of 1116	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	35
PID 1072 wrote to memory of 1116	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	35
PID 1072 wrote to memory of 1116	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	35
PID 1072 wrote to memory of 1116	1072	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	35
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1116 wrote to memory of 1992	1116	vindows.exe	36
PID 1992 wrote to memory of 1732	1992	vindows.exe	37
PID 1992 wrote to memory of 1732	1992	vindows.exe	37
PID 1992 wrote to memory of 1732	1992	vindows.exe	37
PID 1992 wrote to memory of 1732	1992	vindows.exe	37
PID 1732 wrote to memory of 924	1732	cmd.exe	39
PID 1732 wrote to memory of 924	1732	cmd.exe	39
PID 1732 wrote to memory of 924	1732	cmd.exe	39
PID 1732 wrote to memory of 924	1732	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
"C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
  C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c regedit /s C:\Windows\vindows.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\vindows.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd /c copy "C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe" C:\Windows\vindows.exe
    3⤵
    - Drops file in Windows directory
    PID:532
- - C:\Windows\vindows.exe
    "C:\Windows\vindows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\vindows.exe
      C:\Windows\vindows.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c regedit /s C:\Windows\vindows.reg
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\vindows.reg
        6⤵
        Adds Run key to start application
        Runs .reg file with regedit
        
        PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.reg

Filesize
143B

MD5
3adad21ee7c75e17fe87092ce490da4f

SHA1
c1a4b3fddf78e56254a22c2c5af823756f342ca3

SHA256
2e3d80175119e08bbe8455ec9da444bfd380b6d82d2b3eb26be0842bd49dc24d

SHA512
07c38f33bd1b7cec712fcdc3594e9d3285747d12715233d4df1a91b99e1e40ed6e8765265f85a26cc0684116cefffbc4ec7c027a3be60a485f029e7c183cb860

Download Submit
C:\Windows\vindows.reg

Filesize
143B

MD5
3adad21ee7c75e17fe87092ce490da4f

SHA1
c1a4b3fddf78e56254a22c2c5af823756f342ca3

SHA256
2e3d80175119e08bbe8455ec9da444bfd380b6d82d2b3eb26be0842bd49dc24d

SHA512
07c38f33bd1b7cec712fcdc3594e9d3285747d12715233d4df1a91b99e1e40ed6e8765265f85a26cc0684116cefffbc4ec7c027a3be60a485f029e7c183cb860

Download Submit
memory/1072-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-77-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1072-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-73-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download