626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
Size

9.0MB
MD5

85f8e7171dd3d7a20d2885b8e5542cf2
SHA1

f2cd06cb03a4f62a29c77ea38e328f49493a3f91
SHA256

626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b
SHA512

c97f06f1e38f7cb237d2c7f0861aa5ec63de68fb460d2eedd4ed978528d4c74edbb6de5d58548d6e98d0317a184939a6768b868272ba4653c51c29b24bd7272c
SSDEEP

196608:EernwnZ/4yghLayozmCLBOxsJaJJ5hZh5Dp34/eb2hkauKvnqvxAbrpg1MFe5R0a:EerwCRhLaVzLNEOoJ5n3Dtn2KaFq5Ab7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1664	IYيةطd.exe
636	Interface Manager.exe
1180	kick_me.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Configuration.lnk	Interface Manager.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
1664	IYيةطd.exe
636	Interface Manager.exe
636	Interface Manager.exe
1180	kick_me.exe
1180	kick_me.exe
1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe
636	Interface Manager.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
Token: SeDebugPrivilege	1664	IYيةطd.exe
Token: SeDebugPrivilege	636	Interface Manager.exe
Token: SeDebugPrivilege	1180	kick_me.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2044	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	27
PID 1348 wrote to memory of 2044	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	27
PID 1348 wrote to memory of 2044	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	27
PID 2044 wrote to memory of 1960	2044	vbc.exe	29
PID 2044 wrote to memory of 1960	2044	vbc.exe	29
PID 2044 wrote to memory of 1960	2044	vbc.exe	29
PID 1348 wrote to memory of 1664	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	30
PID 1348 wrote to memory of 1664	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	30
PID 1348 wrote to memory of 1664	1348	626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe	30
PID 1664 wrote to memory of 636	1664	IYيةطd.exe	31
PID 1664 wrote to memory of 636	1664	IYيةطd.exe	31
PID 1664 wrote to memory of 636	1664	IYيةطd.exe	31
PID 1664 wrote to memory of 1180	1664	IYيةطd.exe	32
PID 1664 wrote to memory of 1180	1664	IYيةطd.exe	32
PID 1664 wrote to memory of 1180	1664	IYيةطd.exe	32

C:\Users\Admin\AppData\Local\Temp\626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe
"C:\Users\Admin\AppData\Local\Temp\626473a770fc3e9741e5fe2bb129c8e88346a9e10011b18493a258ce0f48363b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acb_ujua.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1363.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1362.tmp"
    3⤵
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\IYيةطd.exe
  "C:\Users\Admin\AppData\Local\Temp\IYيةطd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows Update\Interface Manager.exe
    "C:\Windows Update\Interface Manager.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\kick_me.exe
    "C:\Users\Admin\AppData\Local\Temp\kick_me.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IYيةطd.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYيةطd.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1363.tmp

Filesize
1KB

MD5
a3224b073f244644311d8ec2f49f6508

SHA1
f97f3a601e18bc40c2eed4ad9e2a5c223d04c232

SHA256
4715509511a460d4dcfc495c54225be15ba07cd34ac379b5892c7a15c152497c

SHA512
2403bcb9dc18a134a8aed5e5260695997de0d662d1374ec5800495e22ada94e2b23bbb37b6668da8baa810e1d9a937c205d487ecb49474b457de699d3cc5043b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acb_ujua.0.vb

Filesize
88KB

MD5
580407b8c81680bd3381493ccb7f312c

SHA1
e2554f975d4ad8726efbac9714722361a9c098fe

SHA256
fa35e860e2cd3695952bc20001352ba68656d1a911486e38c9fb897961c19f3b

SHA512
8900c8e0591e87b580ee087170fbb360f3b8bcc49e1ee1d0a2731d8a8ecdd0ff90782749b627f2f965ae5a3c7d10cff14ba716af2cd4b442b070fbaa727fe39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acb_ujua.cmdline

Filesize
217B

MD5
c12ec277f869d937407c9d1e38fc093d

SHA1
1bbcf52d3c0f2971a8644b84321f6e31c3cabfe6

SHA256
fc0c8befe78ae2ef831833e7c62496967e48c31722825b026bfb0318512d6a60

SHA512
79a985620bbaa4494a83c2b1bcf1d8b210fc541266ed282501bca274317376640f82b54c3d46560d5cf2438462d4ddd4fbf0bcdbe003bfe48c5302d20b7ef3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kick_me.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\kick_me.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\kill_it.txt

Filesize
49B

MD5
da3ac54e4967f70de91ab4d37eeaefcf

SHA1
364148bf26864fbd56e6eefb9c10f4c5863eaf38

SHA256
560edadb9d7a9153f807082c94d16b12c975889756bb61b8d8c8830aeed01438

SHA512
03f63e869c52eb28d02c3bf0c546107ef0bf742317662d8a6f6c211896604c2262ac054c8890562c32dedeb354014e0d0c1a301a8dc7fc9e4c62d284d9664186

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1362.tmp

Filesize
712B

MD5
55eff8b64fbcd8b59f048f7df8901440

SHA1
5333a35229eb172e3f96ffb7e6254198f05cda75

SHA256
71a453022a9dc4db8fad667731f92facfc43350510969289f28bd7fd2d2fa928

SHA512
dcfa84f5560d9695f25c66ec382a9afb39914ee9fe4689b2122e640fa9f8e920b7419e41f3fc160e49d3f5220ef387dc41e2e8463f75ec16a631956215da4e38

Download Submit
C:\Windows Update\Interface Manager.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
C:\Windows Update\Interface Manager.exe

Filesize
68KB

MD5
a832b1fea42b2f4b6b0df3a25ed2e59e

SHA1
ae7270075ba3b5888acaccc84c3891859918a32e

SHA256
def93d989aebc6112589eec14fccf3f2f5b3cffdc7a3698eba17739c52fca971

SHA512
bf6e7379d3535f2f3f513e0fa1c7074eaeddc4639fde596af6a0073c7b0e9131d935b4e8d7ba2cbdf5cb35da7645315ac28856fce15f82fa768d64c9cc9dba49

Download Submit
memory/636-69-0x0000000000000000-mapping.dmp

Download
memory/636-87-0x0000000000616000-0x0000000000635000-memory.dmp

Filesize
124KB

Download
memory/636-76-0x0000000000616000-0x0000000000635000-memory.dmp

Filesize
124KB

Download
memory/636-73-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

Filesize
16.6MB

Download
memory/636-72-0x000007FEF3D20000-0x000007FEF4743000-memory.dmp

Filesize
10.1MB

Download
memory/1180-80-0x000007FEF3D20000-0x000007FEF4743000-memory.dmp

Filesize
10.1MB

Download
memory/1180-81-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

Filesize
16.6MB

Download
memory/1180-85-0x0000000001D96000-0x0000000001DB5000-memory.dmp

Filesize
124KB

Download
memory/1180-84-0x0000000001D96000-0x0000000001DB5000-memory.dmp

Filesize
124KB

Download
memory/1180-77-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

Filesize
16.6MB

Download
memory/1348-54-0x000007FEF3D20000-0x000007FEF4743000-memory.dmp

Filesize
10.1MB

Download
memory/1348-59-0x0000000000BE6000-0x0000000000C05000-memory.dmp

Filesize
124KB

Download
memory/1348-86-0x0000000000BE6000-0x0000000000C05000-memory.dmp

Filesize
124KB

Download
memory/1664-75-0x0000000000390000-0x0000000000410000-memory.dmp

Filesize
512KB

Download
memory/1664-64-0x0000000000000000-mapping.dmp

Download
memory/1664-68-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1664-66-0x000007FEF3D20000-0x000007FEF4743000-memory.dmp

Filesize
10.1MB

Download
memory/1664-67-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

Filesize
16.6MB

Download
memory/1960-60-0x0000000000000000-mapping.dmp

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download