c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222

Analysis

max time kernel
184s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
Size

88KB
MD5

ea842cc2ba0897004f06c567265d0018
SHA1

a50f998b45fbc8421843e72e26c7758d505ad1ef
SHA256

c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222
SHA512

b5fa2fe5dfc261baeb37caeec156bce6bb977eb3db7f4b95e4469b6a10667726d95fd08b4a5dcb2c3af3adad8830f851cdbb5b963a21ba5f02eaea857152fb86
SSDEEP

1536:udzCU+0hpqocjK5b3jzvQXp9rZkCRn4HoxPRPuUDFjiTzJpkuXwVXtS7Zknj0n:ulC27qOzv4hRnwoxPRPvDFGTzb3AzSNU

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgrrz.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgrrz.exe comsysapp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\vrgrrz.exe comsysapp"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
5236	rundll32.exe
5336	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\vrgrrz.dll	rundll32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\vrgrrz.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\vrgrrz.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
5272	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe
5336	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe
Token: SeDebugPrivilege	5336	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 5236	4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe	80
PID 4824 wrote to memory of 5236	4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe	80
PID 4824 wrote to memory of 5236	4824	c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe	80
PID 5236 wrote to memory of 5272	5236	rundll32.exe	81
PID 5236 wrote to memory of 5272	5236	rundll32.exe	81
PID 5236 wrote to memory of 5272	5236	rundll32.exe	81
PID 5236 wrote to memory of 5336	5236	rundll32.exe	82
PID 5236 wrote to memory of 5336	5236	rundll32.exe	82
PID 5236 wrote to memory of 5336	5236	rundll32.exe	82

C:\Users\Admin\AppData\Local\Temp\c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe
"C:\Users\Admin\AppData\Local\Temp\c1b9c8efcb30e6a1866e33a5fb2da0a6b487af7dbba09953308a79861d48a222.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\vrgrrzreg.dll",polmxhat
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5236
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\vrgrrzreg.reg"
    3⤵
    - Sets service image path in registry
    - Runs .reg file with regedit
    PID:5272
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\vrgrrz.dll",polmxhat
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\vrgrrz.dll

Filesize
71KB

MD5
974be6d427181e5db97016dc199923ba

SHA1
8f86efbf1480b5491c897ee27cb365791d7bdb6a

SHA256
ecedc1d4212b13c3d5b41525b8a2246b4ce700f39cc38c663b052e838d5c10d1

SHA512
e97fe1412045afd026780157b1158b8ffc8cf949a2b4ae984407c732113e6853122372084f9b27cb87ace9066164839e4a620f20dc17061ed9e57c703869ec89

Download Submit
C:\Program Files\Common Files\microsoft shared\vrgrrz.dll

Filesize
71KB

MD5
974be6d427181e5db97016dc199923ba

SHA1
8f86efbf1480b5491c897ee27cb365791d7bdb6a

SHA256
ecedc1d4212b13c3d5b41525b8a2246b4ce700f39cc38c663b052e838d5c10d1

SHA512
e97fe1412045afd026780157b1158b8ffc8cf949a2b4ae984407c732113e6853122372084f9b27cb87ace9066164839e4a620f20dc17061ed9e57c703869ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrgrrz.dll

Filesize
71KB

MD5
974be6d427181e5db97016dc199923ba

SHA1
8f86efbf1480b5491c897ee27cb365791d7bdb6a

SHA256
ecedc1d4212b13c3d5b41525b8a2246b4ce700f39cc38c663b052e838d5c10d1

SHA512
e97fe1412045afd026780157b1158b8ffc8cf949a2b4ae984407c732113e6853122372084f9b27cb87ace9066164839e4a620f20dc17061ed9e57c703869ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrgrrzreg.dll

Filesize
71KB

MD5
974be6d427181e5db97016dc199923ba

SHA1
8f86efbf1480b5491c897ee27cb365791d7bdb6a

SHA256
ecedc1d4212b13c3d5b41525b8a2246b4ce700f39cc38c663b052e838d5c10d1

SHA512
e97fe1412045afd026780157b1158b8ffc8cf949a2b4ae984407c732113e6853122372084f9b27cb87ace9066164839e4a620f20dc17061ed9e57c703869ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrgrrzreg.dll

Filesize
71KB

MD5
974be6d427181e5db97016dc199923ba

SHA1
8f86efbf1480b5491c897ee27cb365791d7bdb6a

SHA256
ecedc1d4212b13c3d5b41525b8a2246b4ce700f39cc38c663b052e838d5c10d1

SHA512
e97fe1412045afd026780157b1158b8ffc8cf949a2b4ae984407c732113e6853122372084f9b27cb87ace9066164839e4a620f20dc17061ed9e57c703869ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrgrrzreg.reg

Filesize
1KB

MD5
1ea2d8713f4b8bc3282444fdae56ead6

SHA1
4b64a3d65171070132db80d494328beccdda5abf

SHA256
4d8a5aa4f4268743ff19c6a2b56fb9a81378f0801c9442bea7c234013f3ca63a

SHA512
1a9a162ea30e978ed07a9ae5896341d109008919c91f135eb504e4ece2e895a26681c8afbb8cfcc75b03a21c6c8cbfe4c010346e1b3bbe51ca84b09bfcad7079

Download Submit