41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583

Analysis

max time kernel
188s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe
Size

680KB
MD5

73c66e800cc53fe39510c7667854ab00
SHA1

4302d5b7339ee644b9e0ae1de3e3257a3d478ad9
SHA256

41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583
SHA512

37216bfa445dd5cb5803949a681d22a63e59cba49812e4848f284cc2669caa04943022a784a22605ed04297786c0ce34f589b92fe15d0c59d88fb3d0169f92d0
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxe3t7Ax8tUNXnXxII6:P1/aGLDCM4D8ayGMZo1361XX6N

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	vtlmq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\vtlmq.exe"	vtlmq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1968	2676	41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe	80
PID 2676 wrote to memory of 1968	2676	41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe	80
PID 2676 wrote to memory of 1968	2676	41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe	80

C:\Users\Admin\AppData\Local\Temp\41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe
"C:\Users\Admin\AppData\Local\Temp\41dd61b6e7d423a44ec56cb6218cb42f9aa58757d27c2315cd4e95652fd79583.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\ProgramData\vtlmq.exe
  "C:\ProgramData\vtlmq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
405KB

MD5
004509392d1abc55335706d2d2ce3473

SHA1
ebdf7a8a7d125d486b458bc7ae54cb625d471545

SHA256
13a55d7d522d4d1a970ac2891b168ea0f136e7bdc95474a253672137d5369999

SHA512
af38d700280b0e8fca33683045be82c350a2663c0529962a3d6b2f0b0f81265e7fac2d40b5a30c95bf2dd21af9347e2b58dcebae9ea802e7bd9dff4db651a3f5

Download Submit
C:\ProgramData\vtlmq.exe

Filesize
274KB

MD5
3bab08e124393ddd7eae926f461a978a

SHA1
d16061ddf951ee8341bc3587e9c36d42c2c25f04

SHA256
e231548da97c4eb26211bd530786808b6789b09bc0ae2e78ec67d298f15ea444

SHA512
a9b52c7f8cc8475ccda3e4355d1a090124ed3bc42ea635f1bec6769f99abe8c3c3cb4dda3bc80cec450fd77a0d111aea5a9cbb8aa971227ca49a28e60e8771cb

Download Submit
C:\ProgramData\vtlmq.exe

Filesize
274KB

MD5
3bab08e124393ddd7eae926f461a978a

SHA1
d16061ddf951ee8341bc3587e9c36d42c2c25f04

SHA256
e231548da97c4eb26211bd530786808b6789b09bc0ae2e78ec67d298f15ea444

SHA512
a9b52c7f8cc8475ccda3e4355d1a090124ed3bc42ea635f1bec6769f99abe8c3c3cb4dda3bc80cec450fd77a0d111aea5a9cbb8aa971227ca49a28e60e8771cb

Download Submit