Analysis
-
max time kernel
106s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 01:58
Static task
static1
Behavioral task
behavioral1
Sample
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
Resource
win7-20220812-en
General
-
Target
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
-
Size
605KB
-
MD5
68b23221d1af190c3bfadd23fc64e87d
-
SHA1
1e6ae48e30d17c3e2acab6f1567ec2b380391e82
-
SHA256
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2
-
SHA512
ebe0a16676545a37d5692b75abc552f35f69a14a4d04c0b12f9021fcbc14ca3fdb1c59b59ae2f5b58bc8bdb69e15a8e2d041d738fadbf23e02ab6de7087e55be
-
SSDEEP
6144:g/sxRbSSN0fItQTG2BDqVMRs3HaMlFZqGT2/dSfLpkPHR39OL85GUS4rg:ggSYjOGk8AVHU85
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral2/memory/3288-135-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-136-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-137-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-138-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-139-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-143-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3288-144-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hotkcmd = "C:\\Users\\Admin\\AppData\\Roaming\\hotkcmd.exe" c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription pid process target process PID 2064 set thread context of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 3288 vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3288 vbc.exe Token: SeSecurityPrivilege 3288 vbc.exe Token: SeTakeOwnershipPrivilege 3288 vbc.exe Token: SeLoadDriverPrivilege 3288 vbc.exe Token: SeSystemProfilePrivilege 3288 vbc.exe Token: SeSystemtimePrivilege 3288 vbc.exe Token: SeProfSingleProcessPrivilege 3288 vbc.exe Token: SeIncBasePriorityPrivilege 3288 vbc.exe Token: SeCreatePagefilePrivilege 3288 vbc.exe Token: SeBackupPrivilege 3288 vbc.exe Token: SeRestorePrivilege 3288 vbc.exe Token: SeShutdownPrivilege 3288 vbc.exe Token: SeDebugPrivilege 3288 vbc.exe Token: SeSystemEnvironmentPrivilege 3288 vbc.exe Token: SeChangeNotifyPrivilege 3288 vbc.exe Token: SeRemoteShutdownPrivilege 3288 vbc.exe Token: SeUndockPrivilege 3288 vbc.exe Token: SeManageVolumePrivilege 3288 vbc.exe Token: SeImpersonatePrivilege 3288 vbc.exe Token: SeCreateGlobalPrivilege 3288 vbc.exe Token: 33 3288 vbc.exe Token: 34 3288 vbc.exe Token: 35 3288 vbc.exe Token: 36 3288 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exepid process 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exedescription pid process target process PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 3288 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe vbc.exe PID 2064 wrote to memory of 4932 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe PID 2064 wrote to memory of 4932 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe PID 2064 wrote to memory of 4932 2064 c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe"C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.batFilesize
6KB
MD50ebf2430bd76b25eed50e62348303da5
SHA1381964d30507181cf88fbb0282768643e9f2ad68
SHA2569fdd4bdac8625e74bb633f69bcde97ac0cb7fb9b1d141afada367aa489600716
SHA512ad113ed63edecaf86d9734ae93f52ed260fa66608b9dfab5fe838a5bf7ae4158d92d6e593062b4d789eb9c2e3ad7215471f1169d94ba227aba06ca08655409e4
-
memory/2064-133-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2064-142-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/2064-132-0x00000000753E0000-0x0000000075991000-memory.dmpFilesize
5.7MB
-
memory/3288-135-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-137-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-138-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-139-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-136-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-134-0x0000000000000000-mapping.dmp
-
memory/3288-143-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/3288-144-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4932-140-0x0000000000000000-mapping.dmp