901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0

General

Target

901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
Size

1.4MB
MD5

3f169b28df7778a3291cd9734bbf2d25
SHA1

e9c98f56aa6178109a36c36e47927a61976aef3a
SHA256

901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0
SHA512

5f01e6e62f6ce451e5ae781b7175b518d6783fd197dffbbdb4d401b93b936d01dd0be35a9b6716cef353c90a34bad3c645fdeee56b08b03ce7e2ed3ae80553f3
SSDEEP

24576:hytnY6g4IBsiGkdfI6SKbJnPhMxQBYxS1uEZjrABwdWhGJ4C2yhfifCHw30wbUWC:UtnY6g4xOVZtJnPmxQgEuEZjdIceC2yX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

VIBERS~1.EXE

pid process

5048 VIBERS~1.EXE
Loads dropped DLL 6 IoCs

Processes:

VIBERS~1.EXE

pid process

5048 VIBERS~1.EXE
5048 VIBERS~1.EXE
5048 VIBERS~1.EXE
5048 VIBERS~1.EXE
5048 VIBERS~1.EXE
5048 VIBERS~1.EXE

pid	process
5048	VIBERS~1.EXE

pid	process
5048	VIBERS~1.EXE
5048	VIBERS~1.EXE
5048	VIBERS~1.EXE
5048	VIBERS~1.EXE
5048	VIBERS~1.EXE
5048	VIBERS~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

VIBERS~1.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VIBERS~1.EXE	VIBERS~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VIBERS~1.EXE\IsHostApp	VIBERS~1.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VIBERS~1.EXE

description pid process

Token: SeDebugPrivilege 5048 VIBERS~1.EXE

description	pid	process
Token: SeDebugPrivilege	5048	VIBERS~1.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe

description	pid	process	target process
PID 4632 wrote to memory of 5048	4632	901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe	VIBERS~1.EXE
PID 4632 wrote to memory of 5048	4632	901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe	VIBERS~1.EXE
PID 4632 wrote to memory of 5048	4632	901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe	VIBERS~1.EXE

C:\Users\Admin\AppData\Local\Temp\901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe
"C:\Users\Admin\AppData\Local\Temp\901bbcfa5dd7b808c97dd192174440ae232bdc34ce555388124b44ab22bba4e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXE
Filesize
1.2MB

MD5
4a01eb2124846787b081029aa1f378a8

SHA1
c649a98452a4ff0e920cbcbd762ad8e11a89b158

SHA256
99de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b

SHA512
2a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VIBERS~1.EXE
Filesize
1.2MB

MD5
4a01eb2124846787b081029aa1f378a8

SHA1
c649a98452a4ff0e920cbcbd762ad8e11a89b158

SHA256
99de78adf1ee0fc9b7656aae2fad5ccb9f2c1c2a8b9174c95e26787c8f7e919b

SHA512
2a2c3cef57035dced82a8ba2d0e4358244094fbd666cf3a358f54cce395a17dab7ad0fd5680f55c1b376b571cf6abcd105eececdf8f9415fa096f150c71e6a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\Helper.dll
Filesize
1.7MB

MD5
2397422e81b2efb094dd954d5cadccd3

SHA1
10b542c74acdd720c69e4ccd24522b0f16444e11

SHA256
4ff496e4208168216df0f93f0ae28637a26731d12a96332603e241ce6033c313

SHA512
b50150e20ea1eae2c55d5f78c04ef2c964c37d610a337018bd45bc78c909fb618af2d35d3e394a60bbec800882fbd690ca85792cdf53e26bcd19b17805d11843

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\UAC.dll
Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\UAC.dll
Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\nsDialogs.dll
Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA667.tmp\nsDialogs.dll
Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
memory/5048-132-0x0000000000000000-mapping.dmp

Download
memory/5048-138-0x0000000003501000-0x0000000003504000-memory.dmp

Filesize
12KB

Download
memory/5048-142-0x00000000036A1000-0x00000000036A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads