Analysis
-
max time kernel
32s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 01:58
Static task
static1
Behavioral task
behavioral1
Sample
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
Resource
win7-20220812-en
General
-
Target
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
-
Size
605KB
-
MD5
68b23221d1af190c3bfadd23fc64e87d
-
SHA1
1e6ae48e30d17c3e2acab6f1567ec2b380391e82
-
SHA256
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2
-
SHA512
ebe0a16676545a37d5692b75abc552f35f69a14a4d04c0b12f9021fcbc14ca3fdb1c59b59ae2f5b58bc8bdb69e15a8e2d041d738fadbf23e02ab6de7087e55be
-
SSDEEP
6144:g/sxRbSSN0fItQTG2BDqVMRs3HaMlFZqGT2/dSfLpkPHR39OL85GUS4rg:ggSYjOGk8AVHU85
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral1/memory/1368-57-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-60-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-59-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-62-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-64-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-65-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-69-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-70-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-71-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/1368-72-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hotkcmd = "C:\\Users\\Admin\\AppData\\Roaming\\hotkcmd.exe" c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription pid process target process PID 2036 set thread context of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1368 vbc.exe Token: SeSecurityPrivilege 1368 vbc.exe Token: SeTakeOwnershipPrivilege 1368 vbc.exe Token: SeLoadDriverPrivilege 1368 vbc.exe Token: SeSystemProfilePrivilege 1368 vbc.exe Token: SeSystemtimePrivilege 1368 vbc.exe Token: SeProfSingleProcessPrivilege 1368 vbc.exe Token: SeIncBasePriorityPrivilege 1368 vbc.exe Token: SeCreatePagefilePrivilege 1368 vbc.exe Token: SeBackupPrivilege 1368 vbc.exe Token: SeRestorePrivilege 1368 vbc.exe Token: SeShutdownPrivilege 1368 vbc.exe Token: SeDebugPrivilege 1368 vbc.exe Token: SeSystemEnvironmentPrivilege 1368 vbc.exe Token: SeChangeNotifyPrivilege 1368 vbc.exe Token: SeRemoteShutdownPrivilege 1368 vbc.exe Token: SeUndockPrivilege 1368 vbc.exe Token: SeManageVolumePrivilege 1368 vbc.exe Token: SeImpersonatePrivilege 1368 vbc.exe Token: SeCreateGlobalPrivilege 1368 vbc.exe Token: 33 1368 vbc.exe Token: 34 1368 vbc.exe Token: 35 1368 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exepid process 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription pid process target process PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1368 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2036 wrote to memory of 1816 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe PID 2036 wrote to memory of 1816 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe PID 2036 wrote to memory of 1816 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe PID 2036 wrote to memory of 1816 2036 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe"C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.batFilesize
6KB
MD50ebf2430bd76b25eed50e62348303da5
SHA1381964d30507181cf88fbb0282768643e9f2ad68
SHA2569fdd4bdac8625e74bb633f69bcde97ac0cb7fb9b1d141afada367aa489600716
SHA512ad113ed63edecaf86d9734ae93f52ed260fa66608b9dfab5fe838a5bf7ae4158d92d6e593062b4d789eb9c2e3ad7215471f1169d94ba227aba06ca08655409e4
-
memory/1368-64-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-62-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-57-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-60-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-65-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-59-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-56-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-72-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-61-0x00000000004B70B0-mapping.dmp
-
memory/1368-71-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-70-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1368-69-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1816-66-0x0000000000000000-mapping.dmp
-
memory/2036-68-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB
-
memory/2036-55-0x00000000745A0000-0x0000000074B4B000-memory.dmpFilesize
5.7MB
-
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB