acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66

Analysis

max time kernel
149s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe
Size

131KB
MD5

3ee6ca942a35fde4cbd4cc90c69b494f
SHA1

d2556116cebc77734995571b4793a5bf1df8a3c1
SHA256

acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66
SHA512

8f5f4ec157b38e31b978c6db67aae7768c52dae42b28563f6463a22d2ff287d96b6071c36c236bb37df4fb273b1c0fef2abe61773dc3e3d37198755c06645668
SSDEEP

3072:U6Ooaa75Sgk3EUJhwLo/ec7hdnqE6Y5KOFcnxStrWc:vak0Jqwecvnh62gQ

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe

Executes dropped EXE 1 IoCs

pid	Process
3560	vow.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e4f-137.dat	upx
behavioral2/files/0x000a000000022e4f-138.dat	upx
behavioral2/memory/3560-139-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\vow.exe \\u"	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\userdiff.sav	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe
File created	C:\Windows\SysWOW64\userdiff.sav	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe
File opened for modification	C:\Windows\SysWOW64\userdiff.sav	vow.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 3560 set thread context of 3060	3560	vow.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3368	2920	WerFault.exe	83
1032	3060	WerFault.exe	89

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 5012 wrote to memory of 2920	5012	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	83
PID 2920 wrote to memory of 3560	2920	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	88
PID 2920 wrote to memory of 3560	2920	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	88
PID 2920 wrote to memory of 3560	2920	acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe	88
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89
PID 3560 wrote to memory of 3060	3560	vow.exe	89

C:\Users\Admin\AppData\Local\Temp\acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe
"C:\Users\Admin\AppData\Local\Temp\acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe
  "C:\Users\Admin\AppData\Local\Temp\acddb1bd00c82aa878db043c8425197ae2697fd3311425ff5c833c96c2c6bb66.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 300
    3⤵
    - Program crash
    PID:3368
- - C:\Users\Admin\vow.exe
    \u
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 272
        5⤵
        Program crash
        
        PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5527.bat" "
    3⤵
    PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2920 -ip 2920
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3060 -ip 3060
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5527.bat

Filesize
135B

MD5
497581b9847fc79f24e88ecac6daaa4f

SHA1
c795bf13f140da5abebefe8e274b5004478d0f9f

SHA256
1059a9485d661dd5bf67d3d6b1a4dc49e1433687693e8875a42592f915fe4e40

SHA512
9aa7ff99b054592a23beddfad7af61fb15d690fc8b6c1a69659388fd873a82555396c1e6de0954c258f4fdf0414ba0ce91fe987600cf51eff8fd25d0fd450c67

Download Submit
C:\Users\Admin\vow.exe

Filesize
35KB

MD5
57eec3afba4c946261e203b38784b3ae

SHA1
979a6137d1d994806bc3c6a113caceaf4c630eab

SHA256
9a1a14ef451e6c9fae159851e2ac8892154a7f6e3b1aa30e4be1549a68315523

SHA512
2a5fbd44d329a5935bcd0b43d13b8ffd4f8e815329fba100858c0cebd178df73e353d267aa651f36b139308df435c2014c053eaf78d47ef43720043d124fd817

Download Submit
C:\Users\Admin\vow.exe

Filesize
35KB

MD5
57eec3afba4c946261e203b38784b3ae

SHA1
979a6137d1d994806bc3c6a113caceaf4c630eab

SHA256
9a1a14ef451e6c9fae159851e2ac8892154a7f6e3b1aa30e4be1549a68315523

SHA512
2a5fbd44d329a5935bcd0b43d13b8ffd4f8e815329fba100858c0cebd178df73e353d267aa651f36b139308df435c2014c053eaf78d47ef43720043d124fd817

Download Submit
C:\Windows\SysWOW64\userdiff.sav

Filesize
44KB

MD5
d327d5793fe04634b37b194514e70f6f

SHA1
e4d36ce1777c23f1a9a5a0b4c9da05dcdbc204ba

SHA256
61f59426cb5759173a148a26b6c135ccbcd085cdc022dc775f0d5a9c54ece3e2

SHA512
7dc3fb2f0622fc5c7cea837f7bbf2c4212a9d46fa785341c8ec4a73c7eb56da79a92e9ef597ec2e84c656580fc96216c529a58ffe95a37dea938b5cb45146236

Download Submit
memory/2920-133-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2920-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2920-151-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3060-143-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/3560-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3560-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3560-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads