8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

Analysis

max time kernel
163s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
Size

261KB
MD5

f00b2c8bb2dce819f1f8d8cf17fbae18
SHA1

2a989c9e6404601630055b82668c0af9a6aef2c3
SHA256

8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c
SHA512

bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb
SSDEEP

6144:/gLWwMfpMS+3nsFJRMgWrIgAcCSo3UroHsFDwBUpQ:NbheKJRMrESo3U0Hsa62

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4812	vindows.exe
1324	vindows.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	vindows.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vindows = "C:\\Windows\\vindows.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vindows = "C:\\Windows\\vindows.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3628 set thread context of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 4812 set thread context of 1324	4812	vindows.exe	85

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vindows.exe	cmd.exe
File opened for modification	C:\Windows\vindows.exe	vindows.exe
File opened for modification	C:\Windows\vindows.reg	vindows.exe
File created	C:\Windows\vindows.reg	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
File created	C:\Windows\vindows.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
5112	regedit.exe
1596	regedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
4812	vindows.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 3628 wrote to memory of 2128	3628	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	78
PID 2128 wrote to memory of 3280	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	79
PID 2128 wrote to memory of 3280	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	79
PID 2128 wrote to memory of 3280	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	79
PID 2128 wrote to memory of 3440	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	81
PID 2128 wrote to memory of 3440	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	81
PID 2128 wrote to memory of 3440	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	81
PID 3280 wrote to memory of 5112	3280	cmd.exe	83
PID 3280 wrote to memory of 5112	3280	cmd.exe	83
PID 3280 wrote to memory of 5112	3280	cmd.exe	83
PID 2128 wrote to memory of 4812	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	84
PID 2128 wrote to memory of 4812	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	84
PID 2128 wrote to memory of 4812	2128	8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe	84
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 4812 wrote to memory of 1324	4812	vindows.exe	85
PID 1324 wrote to memory of 4732	1324	vindows.exe	86
PID 1324 wrote to memory of 4732	1324	vindows.exe	86
PID 1324 wrote to memory of 4732	1324	vindows.exe	86
PID 4732 wrote to memory of 1596	4732	cmd.exe	88
PID 4732 wrote to memory of 1596	4732	cmd.exe	88
PID 4732 wrote to memory of 1596	4732	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
"C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
  C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c regedit /s C:\Windows\vindows.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\vindows.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd /c copy "C:\Users\Admin\AppData\Local\Temp\8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c.exe" C:\Windows\vindows.exe
    3⤵
    - Drops file in Windows directory
    PID:3440
- - C:\Windows\vindows.exe
    "C:\Windows\vindows.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\vindows.exe
      C:\Windows\vindows.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c regedit /s C:\Windows\vindows.reg
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\vindows.reg
        6⤵
        Adds Run key to start application
        Runs .reg file with regedit
        
        PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.exe

Filesize
261KB

MD5
f00b2c8bb2dce819f1f8d8cf17fbae18

SHA1
2a989c9e6404601630055b82668c0af9a6aef2c3

SHA256
8cdbbb9347f6027e32a1a9e695e40857678dcbf05978cee27ed7fb7a6fde0d2c

SHA512
bb21ae35d399d21c5ae5c8ffea25da6eb3a6c5f59dda89d62e679a1c3efb4553ab4cd5734088a2c727e160d985c3359c7ef71e6a46dc7df1575f5938f9e8d5eb

Download Submit
C:\Windows\vindows.reg

Filesize
143B

MD5
3adad21ee7c75e17fe87092ce490da4f

SHA1
c1a4b3fddf78e56254a22c2c5af823756f342ca3

SHA256
2e3d80175119e08bbe8455ec9da444bfd380b6d82d2b3eb26be0842bd49dc24d

SHA512
07c38f33bd1b7cec712fcdc3594e9d3285747d12715233d4df1a91b99e1e40ed6e8765265f85a26cc0684116cefffbc4ec7c027a3be60a485f029e7c183cb860

Download Submit
C:\Windows\vindows.reg

Filesize
143B

MD5
3adad21ee7c75e17fe87092ce490da4f

SHA1
c1a4b3fddf78e56254a22c2c5af823756f342ca3

SHA256
2e3d80175119e08bbe8455ec9da444bfd380b6d82d2b3eb26be0842bd49dc24d

SHA512
07c38f33bd1b7cec712fcdc3594e9d3285747d12715233d4df1a91b99e1e40ed6e8765265f85a26cc0684116cefffbc4ec7c027a3be60a485f029e7c183cb860

Download Submit
memory/2128-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-145-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-140-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2128-136-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download