146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

Analysis

max time kernel
151s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe
Size

568KB
MD5

bc09b4bd3de9ee7ba320e057446ba874
SHA1

a483cba4cf5439b33988c7c0eee21f66b53ef4e5
SHA256

146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f
SHA512

c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e
SSDEEP

12288:Sds4vpK53iG8qWvL+Tkw33iC6JZT7072XyXTTWTa:SOs1y9P2ZT707W2TyTa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	microsoft.exe

Loads dropped DLL 2 IoCs

pid	Process
1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe
1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1632	1676	microsoft.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1124	schtasks.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\microsoft.exe\:ZONE.identifier:$DATA	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\microsoft.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe
1632	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1964	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	26
PID 1344 wrote to memory of 1964	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	26
PID 1344 wrote to memory of 1964	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	26
PID 1344 wrote to memory of 1964	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	26
PID 1344 wrote to memory of 1676	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	28
PID 1344 wrote to memory of 1676	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	28
PID 1344 wrote to memory of 1676	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	28
PID 1344 wrote to memory of 1676	1344	146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe	28
PID 1676 wrote to memory of 980	1676	microsoft.exe	29
PID 1676 wrote to memory of 980	1676	microsoft.exe	29
PID 1676 wrote to memory of 980	1676	microsoft.exe	29
PID 1676 wrote to memory of 980	1676	microsoft.exe	29
PID 1676 wrote to memory of 1124	1676	microsoft.exe	31
PID 1676 wrote to memory of 1124	1676	microsoft.exe	31
PID 1676 wrote to memory of 1124	1676	microsoft.exe	31
PID 1676 wrote to memory of 1124	1676	microsoft.exe	31
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33
PID 1676 wrote to memory of 1632	1676	microsoft.exe	33

C:\Users\Admin\AppData\Local\Temp\146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe
"C:\Users\Admin\AppData\Local\Temp\146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:1964
- C:\Users\Admin\AppData\Roaming\microsoft.exe
  "C:\Users\Admin\AppData\Roaming\microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\microsoft.exe":ZONE.identifier & exit
    3⤵
    - NTFS ADS
    PID:980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\takshost" /XML "C:\Users\Admin\AppData\Local\Temp\235695025.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f.exe

Filesize
568KB

MD5
bc09b4bd3de9ee7ba320e057446ba874

SHA1
a483cba4cf5439b33988c7c0eee21f66b53ef4e5

SHA256
146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

SHA512
c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\235695025.xml

Filesize
1KB

MD5
18e52d6aa3cbd14cfc2724e2696687fa

SHA1
f772cc9e6017a7880825c0ddefaa35a79077f1fa

SHA256
8e4f0e80b4781cbe38066015f0ba3e0c587c3844c4b90205158a9c28f003fd3d

SHA512
61107f45c256a4ca78ca1037441b495fe7bd8e44dbe38fb2c447f1e84011959123437ad640043c77e0d5cf5ef93c70dbb11d71668fda98db4a23c62fc26dc722

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft.exe

Filesize
568KB

MD5
bc09b4bd3de9ee7ba320e057446ba874

SHA1
a483cba4cf5439b33988c7c0eee21f66b53ef4e5

SHA256
146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

SHA512
c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft.exe

Filesize
568KB

MD5
bc09b4bd3de9ee7ba320e057446ba874

SHA1
a483cba4cf5439b33988c7c0eee21f66b53ef4e5

SHA256
146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

SHA512
c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e

Download Submit
\Users\Admin\AppData\Roaming\microsoft.exe

Filesize
568KB

MD5
bc09b4bd3de9ee7ba320e057446ba874

SHA1
a483cba4cf5439b33988c7c0eee21f66b53ef4e5

SHA256
146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

SHA512
c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e

Download Submit
\Users\Admin\AppData\Roaming\microsoft.exe

Filesize
568KB

MD5
bc09b4bd3de9ee7ba320e057446ba874

SHA1
a483cba4cf5439b33988c7c0eee21f66b53ef4e5

SHA256
146aa1727af22edf6f74629059b7d3aa355dd500ab3855abdea56ead9972321f

SHA512
c39b53db1ef00ea0ada7c170b9642bde9c5dc18162e0ef778baadb33e22f6db18173a8487ca4c63c5889be8d912dbe753e9fe2fa88e275dc124ac04193f1c18e

Download Submit
memory/1344-67-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1632-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-85-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-95-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-94-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-70-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-72-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-75-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-79-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-82-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-93-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-88-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1632-91-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-92-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-66-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download