c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe
Size

724KB
MD5

6367be4b03f48a294604c9f08fefbbb0
SHA1

28f86fe10dfcc9ebf9463b81763e8d1cc5b133cc
SHA256

c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0
SHA512

992b0e89e3506cf82bba28db250242d22d7e8afcdb5ee3bacd249ea5b2b08cd5c8a860ed1097d5ec5a0ef515f41439cfdd65b27747d4ca92b4fac320524612f3
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0pIG9rsYcyVw:71/aGLDCM4D8ayGMVpw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	vtsqk.exe

Loads dropped DLL 2 IoCs

pid	Process
112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe
112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\vtsqk.exe"	vtsqk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 948	112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe	28
PID 112 wrote to memory of 948	112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe	28
PID 112 wrote to memory of 948	112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe	28
PID 112 wrote to memory of 948	112	c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe	28

C:\Users\Admin\AppData\Local\Temp\c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe
"C:\Users\Admin\AppData\Local\Temp\c7bbae3a5fb2b972c55e1c13a65ac78fa1c7aaa371b74e7f3b9bd114c7b0c0b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112
- C:\ProgramData\vtsqk.exe
  "C:\ProgramData\vtsqk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\vtsqk.exe

Filesize
454KB

MD5
5189b846d33390ac11bc53826e63915a

SHA1
75b3d6abfd63ba198b826c3fd46f2af466af8cb8

SHA256
1db7950cf2e3cbb5b9da5cf4b497628a8aa56009354ab24d8345576229877645

SHA512
c16dc683ac118aefd1750dcff61504362d917de750636a6ba76389110882fb7ce3ceabec07d52ffa65c62c8f55a3211a4f36f6b35df88e601bda4942aafeb47d

Download Submit
C:\ProgramData\vtsqk.exe

Filesize
454KB

MD5
5189b846d33390ac11bc53826e63915a

SHA1
75b3d6abfd63ba198b826c3fd46f2af466af8cb8

SHA256
1db7950cf2e3cbb5b9da5cf4b497628a8aa56009354ab24d8345576229877645

SHA512
c16dc683ac118aefd1750dcff61504362d917de750636a6ba76389110882fb7ce3ceabec07d52ffa65c62c8f55a3211a4f36f6b35df88e601bda4942aafeb47d

Download Submit
\ProgramData\vtsqk.exe

Filesize
454KB

MD5
5189b846d33390ac11bc53826e63915a

SHA1
75b3d6abfd63ba198b826c3fd46f2af466af8cb8

SHA256
1db7950cf2e3cbb5b9da5cf4b497628a8aa56009354ab24d8345576229877645

SHA512
c16dc683ac118aefd1750dcff61504362d917de750636a6ba76389110882fb7ce3ceabec07d52ffa65c62c8f55a3211a4f36f6b35df88e601bda4942aafeb47d

Download Submit
\ProgramData\vtsqk.exe

Filesize
454KB

MD5
5189b846d33390ac11bc53826e63915a

SHA1
75b3d6abfd63ba198b826c3fd46f2af466af8cb8

SHA256
1db7950cf2e3cbb5b9da5cf4b497628a8aa56009354ab24d8345576229877645

SHA512
c16dc683ac118aefd1750dcff61504362d917de750636a6ba76389110882fb7ce3ceabec07d52ffa65c62c8f55a3211a4f36f6b35df88e601bda4942aafeb47d

Download Submit
memory/112-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/112-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download