d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
Size

399KB
MD5

5c7ee88e5b8e989a1a48e8005a14140e
SHA1

bd7e92e5b7420ee8a60174bdb163f43666df7186
SHA256

d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f
SHA512

fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65
SSDEEP

6144:+lBH/LMujtnvkp1TULQ2Ny84KUhyd6kaevYDGwlmfThxgaJYpPD0ThwkCl:e/LN583YY8ICaevKHlmfvfWpb0Tm

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\VaultCmd.exe"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2516	VaultCmd.exe
4732	typeperf.exe
4792	VaultCmd.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	VaultCmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	typeperf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 4732 set thread context of 4024	4732	typeperf.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe
2516	VaultCmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
Token: SeDebugPrivilege	2516	VaultCmd.exe
Token: SeDebugPrivilege	4732	typeperf.exe
Token: SeDebugPrivilege	4792	VaultCmd.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 684	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	90
PID 2336 wrote to memory of 2516	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	91
PID 2336 wrote to memory of 2516	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	91
PID 2336 wrote to memory of 2516	2336	d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe	91
PID 2516 wrote to memory of 4732	2516	VaultCmd.exe	93
PID 2516 wrote to memory of 4732	2516	VaultCmd.exe	93
PID 2516 wrote to memory of 4732	2516	VaultCmd.exe	93
PID 2516 wrote to memory of 752	2516	VaultCmd.exe	94
PID 2516 wrote to memory of 752	2516	VaultCmd.exe	94
PID 2516 wrote to memory of 752	2516	VaultCmd.exe	94
PID 752 wrote to memory of 1036	752	cmd.exe	96
PID 752 wrote to memory of 1036	752	cmd.exe	96
PID 752 wrote to memory of 1036	752	cmd.exe	96
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4024	4732	typeperf.exe	100
PID 4732 wrote to memory of 4792	4732	typeperf.exe	101
PID 4732 wrote to memory of 4792	4732	typeperf.exe	101
PID 4732 wrote to memory of 4792	4732	typeperf.exe	101

C:\Users\Admin\AppData\Local\Temp\d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe
"C:\Users\Admin\AppData\Local\Temp\d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:684
- C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe
  "C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\typeperf.exe
    "C:\Users\Admin\AppData\Local\Temp\typeperf.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe
      "C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\VaultCmd.exe.log

Filesize
224B

MD5
33fe65aefdd54d746621e77615d65b49

SHA1
ee39605365280eeb998e52187bb7b0b754b6941a

SHA256
6f62b06a657a489ffd5eb2ee418809b2b8017bc6e1ca7c303476d43a046ac6b6

SHA512
5112e615fc51377326574cbad681ec4f492d4fc27479f7d8313f1f7d2a12c2ae44a1820e8128edc7e3ee01e43aedfba313c252b7b343c8fd5627fd92e0121a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaultCmd.exe

Filesize
11KB

MD5
b571cd24128879c2ad9086303a8dfddc

SHA1
84ceae0866be13f019bc86a31eaddf6980c6a9da

SHA256
388ad7ca4e6403b8804269cd6c73f6a5e3a232b1f1c63687c515da77b0406a78

SHA512
646219a8d925453f8b2b1a0a7a7e4be389e024563e387f44f481e0564032bb16e2b58359a38037be935cdaa77342ec440fa8655b0df8c72e244c7dc5d4d00a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
399KB

MD5
5c7ee88e5b8e989a1a48e8005a14140e

SHA1
bd7e92e5b7420ee8a60174bdb163f43666df7186

SHA256
d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

SHA512
fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\typeperf.exe

Filesize
399KB

MD5
5c7ee88e5b8e989a1a48e8005a14140e

SHA1
bd7e92e5b7420ee8a60174bdb163f43666df7186

SHA256
d3289e75ea85b991fe224624cc93c1bbc4e0cba7ad66d56a85b50bf8af87515f

SHA512
fe242631236aedb5b694b21f490838bc223710cfe4b2b2f6ccc0889e3d3c90ce0e64d3fc6f42055211dafbce4eb695bee3ecdf8ed7ff5dd7f49f89f2e3936f65

Download Submit
memory/2336-133-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2336-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2336-149-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-140-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-139-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-148-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4732-147-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4732-146-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4792-155-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4792-156-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download