71398ec09f40842b05470aad1456b80febc1548c3fd17f576e76dbf67dacc8ee

Analysis

max time kernel
29s
max time network
177s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shrek/bin/vxcs injector.exe
Size

1.3MB
MD5

1935b8d5377e4686fb0d63b15f945177
SHA1

004816bbce0fcd5af209d632a4a91772406b3bbd
SHA256

7f74a54ab8c6cfff77d857e4b8c4b9fdb95a701569d007c8886b343d55870b0f
SHA512

63555e46838dd361f038de3126cfdb09fcd5a7a5ecf17d92dd9a11cba6a63bbef7e8884dbfd6dcd1c0dc314603115999178379341325bd91bf7e4b95d01ee740
SSDEEP

24576:iOrbmLRnpJx7/EEjXvRvItZJdX3p9hHPcrfd4JW+9:iOrslt7ME7Jvw/9tS4s+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

5NVmD.exe

pid process

4644 5NVmD.exe

pid	process
4644	5NVmD.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5NVmD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AsIO3\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\shrek\\bin\\AsIO3.sys"	5NVmD.exe

Loads dropped DLL 1 IoCs

Processes:

5NVmD.exe

pid process

4644 5NVmD.exe

pid	process
4644	5NVmD.exe

Drops file in Windows directory 3 IoCs

Processes:

vxcs injector.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\Download\5NVmD.sys	vxcs injector.exe
File created	C:\Windows\SoftwareDistribution\Download\drv64.dll	vxcs injector.exe
File created	C:\Windows\SoftwareDistribution\Download\5NVmD.exe	vxcs injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

5NVmD.exe

pid process

4644 5NVmD.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5NVmD.exe

description pid process

Token: SeSystemEnvironmentPrivilege 4644 5NVmD.exe
Token: SeDebugPrivilege 4644 5NVmD.exe
Token: SeLoadDriverPrivilege 4644 5NVmD.exe

pid	process
4644	5NVmD.exe

description	pid	process
Token: SeSystemEnvironmentPrivilege	4644	5NVmD.exe
Token: SeDebugPrivilege	4644	5NVmD.exe
Token: SeLoadDriverPrivilege	4644	5NVmD.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

vxcs injector.exe

description	pid	process	target process
PID 2820 wrote to memory of 4644	2820	vxcs injector.exe	5NVmD.exe
PID 2820 wrote to memory of 4644	2820	vxcs injector.exe	5NVmD.exe

C:\Users\Admin\AppData\Local\Temp\shrek\bin\vxcs injector.exe
"C:\Users\Admin\AppData\Local\Temp\shrek\bin\vxcs injector.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SoftwareDistribution\Download\5NVmD.exe
"C:\Windows\SoftwareDistribution\Download\5NVmD.exe" -prv 22 -map C:\Windows\SoftwareDistribution\Download\5NVmD.sys
2⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SoftwareDistribution\Download\5NVmD.exe

Filesize
287KB

MD5
ffd647689e4fdea562acda977748167b

SHA1
0bd670fa21e1eaf862da2c051d62601bd2fb51ef

SHA256
05988fb3d7052f1052afa81f512114e1bed89c116d4878d3250f0c16475e0249

SHA512
97613667da659106344e34128e8b209309a3c7bc502cb5ca61e68e7fe931dd831cd6ff7761b5d6502f28b1a428d0baef17932767f564176a9191502361fa06f9

Download Submit
C:\Windows\SoftwareDistribution\Download\5NVmD.exe

Filesize
287KB

MD5
ffd647689e4fdea562acda977748167b

SHA1
0bd670fa21e1eaf862da2c051d62601bd2fb51ef

SHA256
05988fb3d7052f1052afa81f512114e1bed89c116d4878d3250f0c16475e0249

SHA512
97613667da659106344e34128e8b209309a3c7bc502cb5ca61e68e7fe931dd831cd6ff7761b5d6502f28b1a428d0baef17932767f564176a9191502361fa06f9

Download Submit
C:\Windows\SoftwareDistribution\Download\5NVmD.sys

Filesize
9KB

MD5
657c2a27e4038ae1041474fb901540fa

SHA1
a552b50361b1ae6ab24f3a8959168099208f54ac

SHA256
19066df50eb8b7c76d06552ccbd6248a6384a45a7f04500c6de4ab37149bac54

SHA512
961464d3eda5e81d1b3fa916971ba6b67772f3a4d981963f23b1d8dab3109a20177997a64e11c2a75e046a307f7e7d441e798281b944be865bea2849fa08adc1

Download Submit
C:\Windows\SoftwareDistribution\Download\drv64.dll

Filesize
662KB

MD5
a62c23c0db405d00fde73b1665c13686

SHA1
9949512c330566d8fce363f7588a2d95f68f49b5

SHA256
bd2b37cc66242c255010b4f633621d60bd5662cf2a7e243df0b95e9ad1263a50

SHA512
ec068e558f8caee1dfd3bf329307e07dc8514abfc3277b3997d01093a92b8ad39a5c1eabbb5035fac43af010fabfff4ace2dbf1fccd145bed9859c30451465a8

Download Submit
\Windows\SoftwareDistribution\Download\5NVmD.sys

Filesize
9KB

MD5
657c2a27e4038ae1041474fb901540fa

SHA1
a552b50361b1ae6ab24f3a8959168099208f54ac

SHA256
19066df50eb8b7c76d06552ccbd6248a6384a45a7f04500c6de4ab37149bac54

SHA512
961464d3eda5e81d1b3fa916971ba6b67772f3a4d981963f23b1d8dab3109a20177997a64e11c2a75e046a307f7e7d441e798281b944be865bea2849fa08adc1

Download Submit
memory/4644-120-0x0000000000000000-mapping.dmp

Download