Analysis
-
max time kernel
167s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 12:58
Static task
static1
Behavioral task
behavioral1
Sample
Vsl's Particulars.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Vsl's Particulars.exe
Resource
win10v2004-20221111-en
General
-
Target
Vsl's Particulars.exe
-
Size
430KB
-
MD5
19f682b3bc81726446548e1589eb1743
-
SHA1
4095b78585ad3334dee52a2aa0a4536f19858449
-
SHA256
ed88fe1c402db7c228f49f7faf8370ca5688bbaf1bbdf2ac7dd2a95b9cb4fc36
-
SHA512
866a38685df18a3a7b4b741cd5fd1129aa6de3f07dc8da52c2f8c42c3b46c5b26f57ffd8dc850e4600467c6a134c52fd14f751e1f5a641bf3dc9995303e44054
-
SSDEEP
3072:7+Dfpf4I8ZZpSOs4PNdvr+1UjTsvY3h4I5UWIDRRineV3Kap/ObYOOt7POITGCo6:KmIMZUOJpq1B4UhDqe5pmboNNPonA4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Vsl's Particulars.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Vsl's Particulars.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4272 powershell.exe 4272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Vsl's Particulars.exepowershell.exedescription pid process Token: SeDebugPrivilege 1352 Vsl's Particulars.exe Token: SeDebugPrivilege 4272 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Vsl's Particulars.exedescription pid process target process PID 1352 wrote to memory of 4272 1352 Vsl's Particulars.exe powershell.exe PID 1352 wrote to memory of 4272 1352 Vsl's Particulars.exe powershell.exe PID 1352 wrote to memory of 4272 1352 Vsl's Particulars.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vsl's Particulars.exe"C:\Users\Admin\AppData\Local\Temp\Vsl's Particulars.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1352-132-0x00000000007E0000-0x0000000000852000-memory.dmpFilesize
456KB
-
memory/1352-133-0x0000000005FB0000-0x0000000006042000-memory.dmpFilesize
584KB
-
memory/1352-134-0x0000000006600000-0x0000000006BA4000-memory.dmpFilesize
5.6MB
-
memory/1352-135-0x0000000006080000-0x00000000060A2000-memory.dmpFilesize
136KB
-
memory/4272-136-0x0000000000000000-mapping.dmp
-
memory/4272-137-0x0000000005240000-0x0000000005276000-memory.dmpFilesize
216KB
-
memory/4272-138-0x00000000058C0000-0x0000000005EE8000-memory.dmpFilesize
6.2MB
-
memory/4272-139-0x0000000006110000-0x0000000006176000-memory.dmpFilesize
408KB
-
memory/4272-140-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/4272-141-0x0000000006800000-0x000000000681E000-memory.dmpFilesize
120KB
-
memory/4272-142-0x0000000007E60000-0x00000000084DA000-memory.dmpFilesize
6.5MB
-
memory/4272-143-0x0000000001200000-0x000000000121A000-memory.dmpFilesize
104KB