90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0

Analysis

max time kernel
8s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
Size

78KB
MD5

aa40f7549e3e95321864e35cdda455db
SHA1

7724c529780a900aaf3754b762f02dcd37a0877c
SHA256

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0
SHA512

344e73d0c57de54dd3e4a8b262602446354127f224f41485b3a567b4f1c9605fad1b0b75f4e2c8d7c88a3d3c518b1fa6992b73168fcfac10ffa430c619e1b8e2
SSDEEP

1536:1e58AvZv0kH9gDDtWzYCnJPeoYrGQt36xy9/K1kM:1e58Al0Y9MDYrm7x9/+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp455B.tmp.exe

pid process

840 tmp455B.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp455B.tmp.exe

pid process

840 tmp455B.tmp.exe

pid	process
840	tmp455B.tmp.exe

pid	process
840	tmp455B.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

pid	process
1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

description pid process

Token: SeDebugPrivilege 1184 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

description	pid	process
Token: SeDebugPrivilege	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exevbc.exe

description	pid	process	target process
PID 1184 wrote to memory of 1948	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 1184 wrote to memory of 1948	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 1184 wrote to memory of 1948	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 1184 wrote to memory of 1948	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	vbc.exe
PID 1948 wrote to memory of 1408	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1408	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1408	1948	vbc.exe	cvtres.exe
PID 1948 wrote to memory of 1408	1948	vbc.exe	cvtres.exe
PID 1184 wrote to memory of 840	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp455B.tmp.exe
PID 1184 wrote to memory of 840	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp455B.tmp.exe
PID 1184 wrote to memory of 840	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp455B.tmp.exe
PID 1184 wrote to memory of 840	1184	90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe	tmp455B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
"C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4-jmlprx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4829.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4828.tmp"
3⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
2⤵
- Executes dropped EXE
- Deletes itself
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4-jmlprx.0.vb
Filesize
14KB

MD5
8ca83bb0470c89d532df14963ef77943

SHA1
97144b5b4f329286c66eb9d20079a8c8257d500e

SHA256
c8c1660929596420c31dd5be379c4efb4083dbd7bebc5451e986f0cf5693b9f7

SHA512
2e16c0446101b21995749e99decd06104ed4f2590566a770abf5fee27a9fe1caaa3d15dc91e093fbfc4a12bbdb0d43562d89c11d356397427930e8768b5b96ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\4-jmlprx.cmdline
Filesize
266B

MD5
066ff3d26372dfcd8e6e4c3862afef21

SHA1
f55a3d44311976d95030e9dedcb5071750d3ca20

SHA256
005bae402ccb549f515a0fea17022899e2cad27dd1fbe1e2b34b20ec2f61de75

SHA512
d3c9214dc1bc9b78fcbb6939bdf850c496f73310381923d8c8cc548cd4ce91173cdb602f33031b208d6c05eb41fc4677eb8446bf8664f71785facd2ed9b8ed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4829.tmp
Filesize
1KB

MD5
c2333c08c59dc3ca19b37d64203d9e4d

SHA1
6d793c4fc239e7d4a3c4ca5ec5a374b4e02972d2

SHA256
51ed36273354a37e36177aa392c8446a6e6c7c320c56186da127533e1911a1c7

SHA512
28ed0f4b68cc2eb009ca373f44d30a4ea878a807eee7a42fb3d1566b6dea258aa73efa95870bd8e91ed49fcf84268682816cca2d024fec7b9e1df8548dd284cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe
Filesize
78KB

MD5
59fb2fb23787bb38d027a6d2b1f8066f

SHA1
705c2d3deef3095ef7f9f5a9d981607723df60fd

SHA256
119448f4cb1b6532bc093f88d93cf96fced78ee1e19970e6e9bd0b024563dae8

SHA512
9038eb42b120f054fa8dee93d76fa729faa32794dc6f930f44541b11e4e798b0808438c28c574610aac01cb09755107ea514dedb71406cf14f1f857b7b9b1f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe
Filesize
78KB

MD5
59fb2fb23787bb38d027a6d2b1f8066f

SHA1
705c2d3deef3095ef7f9f5a9d981607723df60fd

SHA256
119448f4cb1b6532bc093f88d93cf96fced78ee1e19970e6e9bd0b024563dae8

SHA512
9038eb42b120f054fa8dee93d76fa729faa32794dc6f930f44541b11e4e798b0808438c28c574610aac01cb09755107ea514dedb71406cf14f1f857b7b9b1f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4828.tmp
Filesize
660B

MD5
505a02a324c8b888f9b5e635e8ed3468

SHA1
67c038cd4eb6ce8f40c454632f49ef6573182da2

SHA256
63b4a5427036769e7c0018c0ed56d91d4e76f11a012f731b108a4b050e762543

SHA512
cc2033ae1c4003214b93231def73a71dbd04b30777c98fd090e271620e383101a703bf3e67042e2ca574c7b885c029fa18dcb9131888eb849ec76e168cdb9913

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe
Filesize
78KB

MD5
59fb2fb23787bb38d027a6d2b1f8066f

SHA1
705c2d3deef3095ef7f9f5a9d981607723df60fd

SHA256
119448f4cb1b6532bc093f88d93cf96fced78ee1e19970e6e9bd0b024563dae8

SHA512
9038eb42b120f054fa8dee93d76fa729faa32794dc6f930f44541b11e4e798b0808438c28c574610aac01cb09755107ea514dedb71406cf14f1f857b7b9b1f47

Download Submit
\Users\Admin\AppData\Local\Temp\tmp455B.tmp.exe
Filesize
78KB

MD5
59fb2fb23787bb38d027a6d2b1f8066f

SHA1
705c2d3deef3095ef7f9f5a9d981607723df60fd

SHA256
119448f4cb1b6532bc093f88d93cf96fced78ee1e19970e6e9bd0b024563dae8

SHA512
9038eb42b120f054fa8dee93d76fa729faa32794dc6f930f44541b11e4e798b0808438c28c574610aac01cb09755107ea514dedb71406cf14f1f857b7b9b1f47

Download Submit
memory/840-66-0x0000000000000000-mapping.dmp

Download
memory/840-70-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-69-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-60-0x0000000000000000-mapping.dmp

Download
memory/1948-56-0x0000000000000000-mapping.dmp

Download