bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7

Analysis

max time kernel
152s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 01:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe
Size

17.3MB
MD5

ad0dc299dca4e8b0def8b802bb1e5574
SHA1

e50fd5463884b12fdfe555ac2d2c68738109ad52
SHA256

bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7
SHA512

d7a82aa17fdf8c950d0090028177d46c7422e8b2931814ec25ea6e798a4e142872ae22005d36c263764d609d180b5e2770cb1e25a803b732e35666f6713544d0
SSDEEP

393216:ShmNxkCNkNiAgNX8jijT1xaVkseqCGAS6TbHLlbjYApBN:XsyMj6T1xaKq/AZTbHNcALN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1224	n1IhXnmPeRxpRvkJ.exe
1452	n1IhXnmPeRxpRvkJ.tmp

Loads dropped DLL 4 IoCs

pid	Process
1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe
1224	n1IhXnmPeRxpRvkJ.exe
1452	n1IhXnmPeRxpRvkJ.tmp
1452	n1IhXnmPeRxpRvkJ.tmp

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\FFRfJijoq6L8.exe"	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe
1392	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1476 wrote to memory of 1224	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	27
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1224 wrote to memory of 1452	1224	n1IhXnmPeRxpRvkJ.exe	29
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28
PID 1476 wrote to memory of 1392	1476	bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe	28

C:\Users\Admin\AppData\Local\Temp\bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe
"C:\Users\Admin\AppData\Local\Temp\bc2f5e6053c600b9554f98af9694ef8ab0b036a76a3ca8d433696d742242b7f7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe
  "C:\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\is-H6AG6.tmp\n1IhXnmPeRxpRvkJ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-H6AG6.tmp\n1IhXnmPeRxpRvkJ.tmp" /SL5="$10164,17411815,56832,C:\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1452
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H6AG6.tmp\n1IhXnmPeRxpRvkJ.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe

Filesize
16.8MB

MD5
5949b9a29cc5f6a26d51714d2e408a82

SHA1
4297c689413c35c10e44ed4f4d82f8fa66eeb14c

SHA256
cc7bb3bd12f011266788c970ee31dc484bd5874d8767558c317e843265dbbcf6

SHA512
71d37e4e78bda4946f2307457e07d57f2154c15afe1cdd1fd4a11fa229409a51e0d3e9343b7d321c1d324cad2edfe39109db9f73b2464c1d56873656431e8798

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe

Filesize
16.8MB

MD5
5949b9a29cc5f6a26d51714d2e408a82

SHA1
4297c689413c35c10e44ed4f4d82f8fa66eeb14c

SHA256
cc7bb3bd12f011266788c970ee31dc484bd5874d8767558c317e843265dbbcf6

SHA512
71d37e4e78bda4946f2307457e07d57f2154c15afe1cdd1fd4a11fa229409a51e0d3e9343b7d321c1d324cad2edfe39109db9f73b2464c1d56873656431e8798

Download Submit
\Users\Admin\AppData\Local\Temp\is-6HIE1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6HIE1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-H6AG6.tmp\n1IhXnmPeRxpRvkJ.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
\Users\Admin\AppData\Local\Temp\n1IhXnmPeRxpRvkJ.exe

Filesize
16.8MB

MD5
5949b9a29cc5f6a26d51714d2e408a82

SHA1
4297c689413c35c10e44ed4f4d82f8fa66eeb14c

SHA256
cc7bb3bd12f011266788c970ee31dc484bd5874d8767558c317e843265dbbcf6

SHA512
71d37e4e78bda4946f2307457e07d57f2154c15afe1cdd1fd4a11fa229409a51e0d3e9343b7d321c1d324cad2edfe39109db9f73b2464c1d56873656431e8798

Download Submit
memory/1224-83-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1224-89-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1224-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-80-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-82-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-70-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-72-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-74-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-75-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-66-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-67-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-90-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-86-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1392-85-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1476-84-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-56-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-55-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download