80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe
Size

173KB
MD5

ebb1ba2ee98688a8fb136e6922d36149
SHA1

787f0c098f82793cd5c236da41de1453bb965b5a
SHA256

80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7
SHA512

3a3caa902507a80bf136987d5c586a4d68e8f03e2a1b935a01dfa5b7ff01524aeea6deddb2cbf2b69f7b358f02277ac85cc0b9165a90a4c9c493044a7fe7cc26
SSDEEP

3072:X4lRkAehGfzmuqTPryFsYax1o9Yh+ZHAzfPZ7Xy4bHlAIyHUQ:X4lRkAehaKuqT+FsYa5+OPNi4Z8

Score

8^/10

evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2000	attrib.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "vbGH43.exe"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\vbGH43.exe	cmd.exe
File opened for modification	C:\Windows\vbGH43.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2040	reg.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 1552 wrote to memory of 900	1552	80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe	28
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 1760	900	cmd.exe	30
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2000	900	cmd.exe	31
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32
PID 900 wrote to memory of 2040	900	cmd.exe	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1760	attrib.exe
2000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe
"C:\Users\Admin\AppData\Local\Temp\80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\78hjHG.cmd" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A -H -S -R hosts
    3⤵
    - Views/modifies file attributes
    PID:1760
- - C:\Windows\SysWOW64\attrib.exe
    attrib +S +H +R hosts
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /ve /d "vbGH43.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\78hjHG.cmd

Filesize
424B

MD5
5ee2b3c2ec0e379e12c4d8242a5fb350

SHA1
be8f7a06dee09e906aa64595873b579ca89955fa

SHA256
e3391d741ba7f8ba9208003bec615ed52e02cdfc33c9ee4635011b4cef007d0b

SHA512
12ed52d19abedc93ec057251b4a9a21f7bfde532d68dd5f1ffdec46ed96bf757304ab310e6fd948351348dd0c6ec89a621a6aeb02aed9020ef49670496f54192

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbGH43.exe

Filesize
100KB

MD5
84def025e483423d3b8431a3e1eb6a95

SHA1
28dd6e10c85958334a18b02f835fe8358941afd6

SHA256
7f8cecb48badfd674bcae781161a87e69e52407eac3e2bae9c6555d16dce4773

SHA512
e1477f7f22fefddf92c287632e0f7b7f22a4fa2506f13f13064dc97b2c3bd0ebaf1b1440a200b76f1ad93ec98a3c652c2fc2a6af9ae2e5b3bfe6aa41f087a969

Download Submit
memory/1552-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads