e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe
Size

122KB
MD5

2ffb189d0cbd907b95ca1f5a202a5f41
SHA1

0b1e4239ab33878ca6aafaed4787ad22142907b7
SHA256

e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef
SHA512

4bd5f13c39bf486235250267b0e2bb196e312e7b1ddc1a96fae0f3b7296cb5eb714e207053948ada2ea31bd7aa268df590181364b7dcb6a3b884330a28ee862b
SSDEEP

3072:gnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0ks:gDn440zt46i4EruLorks

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\??\c:\windows\ipv6netbrowssvc.dll	vmprotect
behavioral1/memory/1696-59-0x0000000000890000-0x00000000008CE000-memory.dmp	vmprotect
behavioral1/memory/980-61-0x0000000075460000-0x000000007549E000-memory.dmp	vmprotect
behavioral1/memory/980-62-0x0000000075460000-0x000000007549E000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1124 cmd.exe

pid	process
1124	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe

description	ioc	process
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe
File created	C:\Windows\IPv6NetBrowsSvc.dll	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe

description	pid	process	target process
PID 1696 wrote to memory of 1124	1696	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe	cmd.exe
PID 1696 wrote to memory of 1124	1696	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe	cmd.exe
PID 1696 wrote to memory of 1124	1696	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe	cmd.exe
PID 1696 wrote to memory of 1124	1696	e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe
"C:\Users\Admin\AppData\Local\Temp\e0f72c2311c065288f47277e1961a09616f36a6daeb2256444c8dd3a2c8742ef.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7080713.bat" "
2⤵
- Deletes itself
PID:1124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7080713.bat
Filesize
239B

MD5
db9f927f95c37ac3a1876c61ecc7354c

SHA1
47ab63bdf39ee2f8c2674f1f113d899bae8f5ff3

SHA256
51c480d14fca4b72dc60815b9558d6d9a8ceda2210fd38b6ee6f517dfcf82d87

SHA512
d52e2037362cccee0bc7fa0916acc28d8cce6362426d92ac62dd97307f57045cf53fd27c4c6292ab0995e9b972ec10a96c7d9e718b46ad7d8fd3e323788f762a

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll
Filesize
122KB

MD5
384d9f77713f3942a0016b87fb055bb8

SHA1
4ea249da9457989a1d226ee8c0141a5402ca9c4e

SHA256
2b3a3d303d3e1966a18a1958e8d634f4f4e414366c3d8a159ee5d3fb904324b4

SHA512
ef374d43b5b75c5c2f4a1308ee4457820b43cbdc0ec49338275796305b065c42a4b035046daee11263834c815952d4e5e7ddee8e9dcf5a97b6b038fcd2826e0f

Download Submit
memory/980-57-0x0000000075461000-0x0000000075464000-memory.dmp

Filesize
12KB

Download
memory/980-61-0x0000000075460000-0x000000007549E000-memory.dmp

Filesize
248KB

Download
memory/980-62-0x0000000075460000-0x000000007549E000-memory.dmp

Filesize
248KB

Download
memory/1124-58-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x0000000000891000-0x0000000000894000-memory.dmp

Filesize
12KB

Download
memory/1696-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-59-0x0000000000890000-0x00000000008CE000-memory.dmp

Filesize
248KB

Download