Analysis
-
max time kernel
19s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
Resource
win10v2004-20220812-en
General
-
Target
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
-
Size
1.4MB
-
MD5
3f169b28df7778a3291cd9734bbf2d25
-
SHA1
e9c98f56aa6178109a36c36e47927a61976aef3a
-
SHA256
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0
-
SHA512
5f01e6e62f6ce451e5ae781b7175b518d6783fd197dffbbdb4d401b93b936d01dd0be35a9b6716cef353c90a34bad3c645fdeee56b08b03ce7e2ed3ae80553f3
-
SSDEEP
24576:hytnY6g4IBsiGkdfI6SKbJnPhMxQBYxS1uEZjrABwdWhGJ4C2yhfifCHw30wbUWC:UtnY6g4xOVZtJnPmxQgEuEZjdIceC2yX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
VIBERS~1.EXEpid process 1984 VIBERS~1.EXE -
Loads dropped DLL 6 IoCs
Processes:
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exeVIBERS~1.EXEpid process 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe 1984 VIBERS~1.EXE 1984 VIBERS~1.EXE 1984 VIBERS~1.EXE 1984 VIBERS~1.EXE 1984 VIBERS~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
VIBERS~1.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VIBERS~1.EXE VIBERS~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VIBERS~1.EXE\IsHostApp VIBERS~1.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
VIBERS~1.EXEdescription pid process Token: SeDebugPrivilege 1984 VIBERS~1.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exedescription pid process target process PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE PID 2028 wrote to memory of 1984 2028 901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe VIBERS~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe"C:\Users\Admin\AppData\Local\Temp\901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXEFilesize
1.2MB
MD54a01eb2124846787b081029aa1f378a8
SHA1c649a98452a4ff0e920cbcbd762ad8e11a89b158
SHA25699de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b
SHA5122a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXEFilesize
1.2MB
MD54a01eb2124846787b081029aa1f378a8
SHA1c649a98452a4ff0e920cbcbd762ad8e11a89b158
SHA25699de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b
SHA5122a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXEFilesize
1.2MB
MD54a01eb2124846787b081029aa1f378a8
SHA1c649a98452a4ff0e920cbcbd762ad8e11a89b158
SHA25699de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b
SHA5122a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXEFilesize
1.2MB
MD54a01eb2124846787b081029aa1f378a8
SHA1c649a98452a4ff0e920cbcbd762ad8e11a89b158
SHA25699de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b
SHA5122a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e
-
\Users\Admin\AppData\Local\Temp\nseAE5B.tmp\Helper.dllFilesize
1.7MB
MD52397422e81b2efb094dd954d5cadccd3
SHA110b542c74acdd720c69e4ccd24522b0f16444e11
SHA2564ff496e4208168216df0f93f0ae28637a26731d12a96332603e241ce6033c313
SHA512b50150e20ea1eae2c55d5f78c04ef2c964c37d610a337018bd45bc78c909fb618af2d35d3e394a60bbec800882fbd690ca85792cdf53e26bcd19b17805d11843
-
\Users\Admin\AppData\Local\Temp\nseAE5B.tmp\System.dllFilesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
\Users\Admin\AppData\Local\Temp\nseAE5B.tmp\UAC.dllFilesize
13KB
MD5a88baad3461d2e9928a15753b1d93fd7
SHA1bb826e35264968bbc3b981d8430ac55df1e6d4a6
SHA256c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
SHA5125edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a
-
\Users\Admin\AppData\Local\Temp\nseAE5B.tmp\nsDialogs.dllFilesize
9KB
MD5f7b92b78f1a00a872c8a38f40afa7d65
SHA1872522498f69ad49270190c74cf3af28862057f2
SHA2562bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA5123ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79
-
memory/1984-56-0x0000000000000000-mapping.dmp
-
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmpFilesize
8KB