abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd

Analysis

max time kernel
130s
max time network
82s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
Size

2.2MB
MD5

af57013ed409efb51244d2631934e2ea
SHA1

c9b426f683da04772b0e91cc4ff54d95bf48a909
SHA256

abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd
SHA512

12350a54a4a54244a7d9ab6514bf7e32b13f373d909c190e11e1f4d680b33b5b9c7eba03d79f39424001096d902a9264b73c5521c4e28f3ad8537e14bd010f91
SSDEEP

49152:7JKrinlUS/oJmFFNptj7TnPdU585nqpGPCY0dxGrL21PAjGoe9Hec:VW8To4ppF7TPj5qYJd2V6Goe9Hl

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 15 IoCs

Processes:

abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe

description	ioc	process
File opened for modification	C:\Program Files\VRayManage2\aria2\x86\aria2c.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\aria2\x86	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\aria2\x64\aria2.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\aria2\x86\aria2.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\aria2\x64\aria2c.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\Language\zh-CN.ini	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\Language	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\aria2\x86\aria2c.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\aria2	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\aria2\x64	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\aria2\x86\aria2.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\__tmp_rar_sfx_access_check_7114550	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File created	C:\Program Files\VRayManage2\Language\zh-CN.ini	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
File opened for modification	C:\Program Files\VRayManage2\aria2\x64\aria2.exe	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe

pid process

1232 abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe

pid	process
1232	abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe

C:\Users\Admin\AppData\Local\Temp\abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe
"C:\Users\Admin\AppData\Local\Temp\abeb68258e3c5921de2061138879720b2c887ddaf1d7ecd65357926b1e92f7dd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download