Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
24-11-2022 06:22
General
-
Target
29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe
-
Size
120KB
-
MD5
addab1c297f678b00958d6564b785dca
-
SHA1
b5abef2ce28ef39a8400d77dfc875cf02f1f798a
-
SHA256
29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e
-
SHA512
f031e53fa165a6f1324169ae26f34d52d5207aaf9f2887547c6fff0e869babb5ec8581daa115582ec98b9690eced3f2cafc0ec057226127adcc925287de2385f
-
SSDEEP
3072:6JwejfQQpiipQpU1EgKOCHYk05GPqAzVQuLQ/eO:6vxV1COCHvQ8qABQ2GB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
VMProtect packed file 9 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe"C:\Users\Admin\AppData\Local\Temp\29b513fdbbe72c15a6961af6af3e758d8eefbc22753de155d2c1f0b0b954660e.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\988.vbs"2⤵
-
C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe"C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\988.vbsFilesize
500B
MD5b1a7c3d611837a99b3dd17e655f66164
SHA1ff738c11cd41227e5a80abd47f09f0c7e552eb17
SHA2567e9399afc3004c3111e6c59ce6e04cc0864d00910f2fdf1ff92d131b4b4e2ed2
SHA51224ccd5691a5db488ab56bfc62259159ea65757dee267b0e2b69da9b9706202399e65728e2e5077602da933598ad95bdcf48746f28b618ee8834c7e258e1b5322
-
C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exeFilesize
100.1MB
MD554703ea5a3c9d059614034fba856634c
SHA1802e56e6fd5302bf661d1ef35648c0053be1617f
SHA256650a741d2dce8360d13d81663d0de757a85baeed6034838fc88a201fc1a4d5e6
SHA5120a132cb24211f141fede8c2b43fee7c5884fa598239c18acb3ba474081b2033e2f22852af7c293445942c86463c92ff1c6a3d0d5fdf41f1df953ed7d2aced6d9
-
C:\Program Files (x86)\Windows Mgvqqz\Ciypmcm.exeFilesize
100.1MB
MD554703ea5a3c9d059614034fba856634c
SHA1802e56e6fd5302bf661d1ef35648c0053be1617f
SHA256650a741d2dce8360d13d81663d0de757a85baeed6034838fc88a201fc1a4d5e6
SHA5120a132cb24211f141fede8c2b43fee7c5884fa598239c18acb3ba474081b2033e2f22852af7c293445942c86463c92ff1c6a3d0d5fdf41f1df953ed7d2aced6d9
-
memory/2224-138-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2224-140-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2224-144-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3852-141-0x0000000000000000-mapping.dmp
-
memory/4980-132-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4980-133-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4980-135-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4980-142-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB