Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2022 04:30

General

  • Target

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c.exe

  • Size

    1.7MB

  • MD5

    0eb95c22607e7ff7ac2ec406c63b7e00

  • SHA1

    7ad198f32f403e667366c1e3273c613603f9349a

  • SHA256

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c

  • SHA512

    e5ae1ebafb5f2e4aed47a1861bf88a0cf70d431570f3ca10f9222e6cadaa39a77d5068252e285d7e344b6b76cc7aeb18fe4a2d5eae53fe30242ef84886ab9231

  • SSDEEP

    49152:mS1YTuq9qE0S/IfLYmjfAko2Lj6kxs0rdhTlG:JIq0cZfAko23PI

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 12 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c.exe
    "C:\Users\Admin\AppData\Local\Temp\111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\wocualts.exe
      "C:\Users\Admin\AppData\Local\Temp\wocualts.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Modifies system certificate store
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:1168
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:320
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:456
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Windows\system32\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:1820
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:1384
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:1800
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:1976
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\vbzip11.dll"
        3⤵
        • Loads dropped DLL
        PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TEMP:C9C13817

    Filesize

    112B

    MD5

    bddc0f9ef0b62d840ff52df0ecfc15c4

    SHA1

    65f8f7c0225bedd89485e16062e70b6f001bd652

    SHA256

    904fb753995aac8a8cb2098867466b712fe852da10ae45dfa1eab1583bc1b06e

    SHA512

    f20365063d7f7878bcbcf0c8746d9e2438558602e62a4a5d68cc9a48d596789ae3c509301c0be771be06b2842b2544e7c912fc3894bd4748624ad1279af3f60f

  • C:\Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Users\Admin\AppData\Local\Temp\wocualts.exe

    Filesize

    1.7MB

    MD5

    0eb95c22607e7ff7ac2ec406c63b7e00

    SHA1

    7ad198f32f403e667366c1e3273c613603f9349a

    SHA256

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c

    SHA512

    e5ae1ebafb5f2e4aed47a1861bf88a0cf70d431570f3ca10f9222e6cadaa39a77d5068252e285d7e344b6b76cc7aeb18fe4a2d5eae53fe30242ef84886ab9231

  • C:\Users\Admin\AppData\Local\Temp\wocualts.exe

    Filesize

    1.7MB

    MD5

    0eb95c22607e7ff7ac2ec406c63b7e00

    SHA1

    7ad198f32f403e667366c1e3273c613603f9349a

    SHA256

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c

    SHA512

    e5ae1ebafb5f2e4aed47a1861bf88a0cf70d431570f3ca10f9222e6cadaa39a77d5068252e285d7e344b6b76cc7aeb18fe4a2d5eae53fe30242ef84886ab9231

  • C:\Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • C:\Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Users\Admin\AppData\Local\Temp\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Users\Admin\AppData\Local\Temp\wocualts.exe

    Filesize

    1.7MB

    MD5

    0eb95c22607e7ff7ac2ec406c63b7e00

    SHA1

    7ad198f32f403e667366c1e3273c613603f9349a

    SHA256

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c

    SHA512

    e5ae1ebafb5f2e4aed47a1861bf88a0cf70d431570f3ca10f9222e6cadaa39a77d5068252e285d7e344b6b76cc7aeb18fe4a2d5eae53fe30242ef84886ab9231

  • \Users\Admin\AppData\Local\Temp\wocualts.exe

    Filesize

    1.7MB

    MD5

    0eb95c22607e7ff7ac2ec406c63b7e00

    SHA1

    7ad198f32f403e667366c1e3273c613603f9349a

    SHA256

    111ccfa2c355f5d866247d363a0486ed8a2f4fcc5026eaf803e94d5ffdd1e81c

    SHA512

    e5ae1ebafb5f2e4aed47a1861bf88a0cf70d431570f3ca10f9222e6cadaa39a77d5068252e285d7e344b6b76cc7aeb18fe4a2d5eae53fe30242ef84886ab9231

  • \Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • \Windows\SysWOW64\vbzip11.dll

    Filesize

    144KB

    MD5

    abee1079ea3f3e74c933915bf10a7b9b

    SHA1

    b3de541c524f46fd0c95dcefd3f7765114107910

    SHA256

    d13f6334c4cb124052d658e687a0394fb431447e5239a4f8be576c9c416705ca

    SHA512

    f046e5a1d2fb01b9999743b36a43a2a2699bff1c0cddd2351fb1a6979725634d235ab415b4784cc4aeaa6a9bd982ac88f89f82ef27cb9de7e1da5d6f4f6542d7

  • memory/432-83-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-82-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-93-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-81-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-121-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-84-0x0000000000401000-0x0000000000423000-memory.dmp

    Filesize

    136KB

  • memory/432-80-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/432-74-0x0000000001ED0000-0x0000000001FB8000-memory.dmp

    Filesize

    928KB

  • memory/1048-68-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-117-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

    Filesize

    8KB

  • memory/1048-65-0x0000000000401000-0x0000000000423000-memory.dmp

    Filesize

    136KB

  • memory/1048-55-0x0000000001FA0000-0x0000000002088000-memory.dmp

    Filesize

    928KB

  • memory/1048-63-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-60-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-64-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-61-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB

  • memory/1048-62-0x0000000000400000-0x0000000000620000-memory.dmp

    Filesize

    2.1MB