3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f

Analysis

max time kernel
151s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
Size

1.8MB
MD5

82629e3fbcaec576d07f8ef9d1640064
SHA1

08a43edd3f8abd89931b955d4bb88a02eef525d7
SHA256

3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f
SHA512

3e96d49d364f520fa224341d1619092569d60341e1d3d3753766c0a3b121588fe665f5f242cec8f63273c88d661fdce55772f51a1635f4a2222b1e2304a23c2b
SSDEEP

49152:LJZoQrbTFZY1iayaESazeshkBhKrLjXnQMk:LtrbTA1maRazDhDrXnQZ

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-72-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1724-75-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1724-76-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1724-79-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1724-80-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/856-87-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-90-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-93-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-97-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-99-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-100-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/856-101-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1724-108-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 set thread context of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1936 set thread context of 856	1936	vbc.exe	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pavk.bin	vbc.exe
File opened for modification	C:\Windows\ProcessHacker.exe	vbc.exe
File opened for modification	C:\Windows\kprocesshacker.sys	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
856	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe
1724	vbc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1724	vbc.exe
1936	vbc.exe
856	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1352	1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	26
PID 1388 wrote to memory of 1352	1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	26
PID 1388 wrote to memory of 1352	1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	26
PID 1388 wrote to memory of 1352	1388	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	26
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1936	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	27
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1352 wrote to memory of 1724	1352	3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe	28
PID 1724 wrote to memory of 1844	1724	vbc.exe	30
PID 1724 wrote to memory of 1844	1724	vbc.exe	30
PID 1724 wrote to memory of 1844	1724	vbc.exe	30
PID 1724 wrote to memory of 1844	1724	vbc.exe	30
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1936 wrote to memory of 856	1936	vbc.exe	33
PID 1724 wrote to memory of 1588	1724	vbc.exe	35
PID 1724 wrote to memory of 1588	1724	vbc.exe	35
PID 1724 wrote to memory of 1588	1724	vbc.exe	35
PID 1724 wrote to memory of 1588	1724	vbc.exe	35

C:\Users\Admin\AppData\Local\Temp\3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
"C:\Users\Admin\AppData\Local\Temp\3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe
  "C:\Users\Admin\AppData\Local\Temp\3def2892211bc62ad4d1c268d2c76fa509d9cf85be2ea30342a6c9c2b288106f.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\FPsLfqcVX
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del /q /f %temp%\*.lnk
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start %temp%\xkNoOpSFd.exe
      4⤵
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FPsLfqcVX

Filesize
834KB

MD5
f35bfbba1d9a8a51ed27d3ffd24ae5bd

SHA1
39d82a7599bdb60d3b7f10cf81e3ddfeba80de31

SHA256
5700b1983a2f5acd3013f28ec17894bb77d1994eea11dd4f5013ffb05481753a

SHA512
05d6fb6ff662ae12844307eaa1496806e123411793a5568314c4f0f34361531e9b6b3b2678d6304c2d7de0be57fbc35a4828c770d925e95df4e6feccb4be6781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo

Filesize
3KB

MD5
5fae023d0f4d9d94bcdbf6b5581a71ca

SHA1
b6569e50b87b53c912430e8fe1dc1eda4192053e

SHA256
1ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2

SHA512
97718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c

Download Submit
memory/856-109-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/856-101-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-86-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-105-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/856-104-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/856-110-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/856-87-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-90-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-100-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-99-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-97-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/856-93-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1724-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-108-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-72-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1936-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-96-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-63-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-82-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1936-59-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download