Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Resource
win10v2004-20220812-en
General
-
Target
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
-
Size
78KB
-
MD5
abc3226e9fd2606a3a3d6568c2a717bf
-
SHA1
62d6486d7d04639445f90eb9943fa9b0a3e1222e
-
SHA256
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d
-
SHA512
f81bc5d0351603378ef52babdaa51571db6990bdd929cdb388e9c4a53642d6203619ca94f5144c8bda1b9992c18b8cde89de2a0bbd9bc327b4e1894a41d64438
-
SSDEEP
1536:g5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC689/d1hM:g5j9n7N041QqhgE9/G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp782.tmp.exepid process 1244 tmp782.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp782.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp782.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exetmp782.tmp.exedescription pid process Token: SeDebugPrivilege 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe Token: SeDebugPrivilege 1244 tmp782.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exevbc.exedescription pid process target process PID 2364 wrote to memory of 4844 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe vbc.exe PID 2364 wrote to memory of 4844 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe vbc.exe PID 2364 wrote to memory of 4844 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe vbc.exe PID 4844 wrote to memory of 860 4844 vbc.exe cvtres.exe PID 4844 wrote to memory of 860 4844 vbc.exe cvtres.exe PID 4844 wrote to memory of 860 4844 vbc.exe cvtres.exe PID 2364 wrote to memory of 1244 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe tmp782.tmp.exe PID 2364 wrote to memory of 1244 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe tmp782.tmp.exe PID 2364 wrote to memory of 1244 2364 6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe tmp782.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe"C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1165.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEE200834C5F4CFE868083BEF79D98BC.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1165.tmpFilesize
1KB
MD5bff054f1df6d70dcc9f55288741ef62a
SHA198f3b76b4e131acf28c8f72ab1c8174f72e3c344
SHA2568cc6c56ee4d88053d13e5c872a330a33980ef6c1b20a0350cb6d6720c13b8d9b
SHA5126dc4db4522df0f7179070a31af6e793999efeac8c36c0ee9cc0df4e6cf75fdd7bf23b1907229014926a66bfb06c65f1a4e45d1df3d34f15883c8b97ee35a4521
-
C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.0.vbFilesize
14KB
MD5100d312405778c1381ac0c1e96f52c5e
SHA16d364f370b62eeb6210670099319b3d2a4194ebc
SHA256b93a6848e0ced40327ee93361f8f72cd2425f245049c70d9c79cd36d2806ed6d
SHA512b0778f3d4ae22dabc4df305f207f2aa91f3296d66e22fb6ae2c1430b3ba91675d72a1a3ea303184c3d8d4c4c245c33c559c0abfaa7a795023184489ad456ca99
-
C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.cmdlineFilesize
265B
MD5bd2ab52d3a63191a48bdf9c055e0418a
SHA153c823688ac3fda273478bf6c036208f04ebec11
SHA256eb1fb776130b25715d24fffa1b28601b3530ede88cada60f6300be1df3fe2e76
SHA5126c4a60f88f3564696f21e35664d3977dc97e84a5518a9a27f57e8a659deefd999e6348443ebfb2046b4f099f264ac706bc0bc13fd9bd6a9c5aed3af8e699f42e
-
C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exeFilesize
78KB
MD5f10d89f92f43db0b4d308f534dfd9608
SHA1dbb0ff549def1a0578c0e2299b63f821101c85b3
SHA25631c89a3896c9be5b6251acb01340d2365f2151e8ea514b459921c87d306530e3
SHA512935c382fc7061d15ef0711743d55ae16d16eb49f032ab22cc3b149d46609e43c65f959a8327eaf8adaaff9c5748c7ad66079ec7a5d611be186f1e065e84be277
-
C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exeFilesize
78KB
MD5f10d89f92f43db0b4d308f534dfd9608
SHA1dbb0ff549def1a0578c0e2299b63f821101c85b3
SHA25631c89a3896c9be5b6251acb01340d2365f2151e8ea514b459921c87d306530e3
SHA512935c382fc7061d15ef0711743d55ae16d16eb49f032ab22cc3b149d46609e43c65f959a8327eaf8adaaff9c5748c7ad66079ec7a5d611be186f1e065e84be277
-
C:\Users\Admin\AppData\Local\Temp\vbcFEE200834C5F4CFE868083BEF79D98BC.TMPFilesize
660B
MD5e4cddf16c86c4d0fa4a67026fb5cbcb7
SHA1247db333454e7e39c7bd3d0e37e88e02c6026993
SHA2568de400630ececec89eac0be668fe45bbbf3b0136b5de40e73770bacbb812b583
SHA51256d33534daa93b82acdd1ee2d617e3461703de9ddf26c92a321aecdaf3add16111a6bbe34e8881f71003e1386140e357d1d0855a600f3d7ee59c1e667f8c14a5
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/860-137-0x0000000000000000-mapping.dmp
-
memory/1244-141-0x0000000000000000-mapping.dmp
-
memory/1244-143-0x0000000074E90000-0x0000000075441000-memory.dmpFilesize
5.7MB
-
memory/1244-145-0x0000000074E90000-0x0000000075441000-memory.dmpFilesize
5.7MB
-
memory/2364-132-0x0000000074E90000-0x0000000075441000-memory.dmpFilesize
5.7MB
-
memory/2364-144-0x0000000074E90000-0x0000000075441000-memory.dmpFilesize
5.7MB
-
memory/4844-133-0x0000000000000000-mapping.dmp