9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe
Size

339KB
MD5

3acf7d3af3b973902c2b483a798c90a8
SHA1

793c2bb991d7ab8e6f567da3454216e1035654e4
SHA256

9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e
SHA512

df2923a4cf017e12e3ad38d3c194cd0c67d3eab67a39e6b7026795e14a4e80b703f2867efb345bfbb579dd7d7b72e3041d74e00015c547043b0cbf61970c0131
SSDEEP

6144:p6pVodWuBFZBKDWpoXAO7RhJKcpkoA944Anben93xYO1:p6pV+BFAE2FRhJKMkHunbK93xYO

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5056-132-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral2/memory/4660-135-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\VgrAMc1CWoK5	VgrAMc1CWoK5.exe
File opened for modification	C:\PROGRA~3\VgrAMc1CWoK5	VgrAMc1CWoK5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	VgrAMc1CWoK5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	VgrAMc1CWoK5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5056	9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4660	VgrAMc1CWoK5.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5056	9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe
4660	VgrAMc1CWoK5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4660	5056	9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe	81
PID 5056 wrote to memory of 4660	5056	9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe	81
PID 5056 wrote to memory of 4660	5056	9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe	81

C:\Users\Admin\AppData\Local\Temp\9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe
"C:\Users\Admin\AppData\Local\Temp\9802015890078ee71b099d8cfc44bdc275dce9308ff5dfd6fc21f91399cfcd8e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\PROGRA~3\VgrAMc1CWoK5.exe
  C:\PROGRA~3\VgrAMc1CWoK5.exe
  2⤵
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4660-135-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4660-136-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5056-132-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5056-134-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download