ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e

General

Target

ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe
Size

22.4MB
MD5

0c0958afa2f46d9617a9fd6ab7468bb8
SHA1

0771c861a7bdc702397766e7fc7c2c0e1315bbd8
SHA256

ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e
SHA512

7540571207bda3123c01688ae1779c272638a1d3698aa4a2f1dbe0c90ef4eaf1e0d2d3178c6cd255bf6736af3840d76f8aeef3b081e1b958891a3ecd17ff6a5a
SSDEEP

49152:ZMk2fdATU8bAz6JKRR86gulWpeWmenMj0yzPaxrTCy58e6FjBL:ZMy+O6NlIeWmbj5rapCY56Fjt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1036	vsafe_setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe
1036	vsafe_setup.exe
1036	vsafe_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vsafe = "C:\\Users\\Public\\Qeue\\Naou.exe /vsafe /{1A4199DC-2764-4C76-BBA7-BBA848FE00C2}"	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	vsafe_setup.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1036	vsafe_setup.exe
1036	vsafe_setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1628 wrote to memory of 1560	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	27
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1560 wrote to memory of 1116	1560	Net.exe	29
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30
PID 1628 wrote to memory of 1036	1628	ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe	30

C:\Users\Admin\AppData\Local\Temp\ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe
"C:\Users\Admin\AppData\Local\Temp\ab0701c1749a772533308206f51b7ca233bfe6231a37d9d7af779ea37a4f9e1e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1116
- C:\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe

Filesize
500KB

MD5
80acfba01b15107fb95a61131dc8a4f2

SHA1
605caa2f5754a5c2427e15c7f4d604c309671750

SHA256
2021a9bb1862e2f7b80fca93ada4e65a858c6acdde38fbccfa6dc6d3d676deec

SHA512
71cfb13c470f48c3bac14132788e75f0d62428acd69854d9d9f8556a52f52f8716b73912b4f58bc8c93efcc4f6da582b6259848996692147269f19559aa59207

Download Submit
C:\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe

Filesize
500KB

MD5
80acfba01b15107fb95a61131dc8a4f2

SHA1
605caa2f5754a5c2427e15c7f4d604c309671750

SHA256
2021a9bb1862e2f7b80fca93ada4e65a858c6acdde38fbccfa6dc6d3d676deec

SHA512
71cfb13c470f48c3bac14132788e75f0d62428acd69854d9d9f8556a52f52f8716b73912b4f58bc8c93efcc4f6da582b6259848996692147269f19559aa59207

Download Submit
\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe

Filesize
500KB

MD5
80acfba01b15107fb95a61131dc8a4f2

SHA1
605caa2f5754a5c2427e15c7f4d604c309671750

SHA256
2021a9bb1862e2f7b80fca93ada4e65a858c6acdde38fbccfa6dc6d3d676deec

SHA512
71cfb13c470f48c3bac14132788e75f0d62428acd69854d9d9f8556a52f52f8716b73912b4f58bc8c93efcc4f6da582b6259848996692147269f19559aa59207

Download Submit
\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe

Filesize
500KB

MD5
80acfba01b15107fb95a61131dc8a4f2

SHA1
605caa2f5754a5c2427e15c7f4d604c309671750

SHA256
2021a9bb1862e2f7b80fca93ada4e65a858c6acdde38fbccfa6dc6d3d676deec

SHA512
71cfb13c470f48c3bac14132788e75f0d62428acd69854d9d9f8556a52f52f8716b73912b4f58bc8c93efcc4f6da582b6259848996692147269f19559aa59207

Download Submit
\Users\Admin\AppData\Local\Temp\g88759\vsafe_setup.exe

Filesize
500KB

MD5
80acfba01b15107fb95a61131dc8a4f2

SHA1
605caa2f5754a5c2427e15c7f4d604c309671750

SHA256
2021a9bb1862e2f7b80fca93ada4e65a858c6acdde38fbccfa6dc6d3d676deec

SHA512
71cfb13c470f48c3bac14132788e75f0d62428acd69854d9d9f8556a52f52f8716b73912b4f58bc8c93efcc4f6da582b6259848996692147269f19559aa59207

Download Submit
memory/1628-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads