Analysis
-
max time kernel
38s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 13:40
Static task
static1
Behavioral task
behavioral1
Sample
103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe
Resource
win7-20220812-en
General
-
Target
103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe
-
Size
334KB
-
MD5
2b087c00777a630a4100c122f4687783
-
SHA1
618f5bf8bea9d2c431c4389c18e2dd91082a0d67
-
SHA256
12a921f6abb929d4f8b28924868dcc468299e44745c37db3aa7e4ac9bfe38869
-
SHA512
cb47508cf530de56e1c2317351eca84b832d431a516c4da2676855e6d76fc6d06b4b328d4c7ece2ff7ccc54acf04644a1f30e4e8b8067dc9889f4a7a32eaa37b
-
SSDEEP
6144:QBn1W74u851+xu+La/EZ4sAR7Im/VvQgUJ5IBjiIQ1XhXXMaXTEZ2iaH4hY:gW7OgxLLaE2R7IwY5MjinzEoPHKY
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rbygg.exerbygg.exepid process 1340 rbygg.exe 1476 rbygg.exe -
Loads dropped DLL 5 IoCs
Processes:
103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exerbygg.exeWerFault.exepid process 1424 103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe 1340 rbygg.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rbygg.exedescription pid process target process PID 1340 set thread context of 1476 1340 rbygg.exe rbygg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 940 1476 WerFault.exe rbygg.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rbygg.exepid process 1340 rbygg.exe 1340 rbygg.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exerbygg.exerbygg.exedescription pid process target process PID 1424 wrote to memory of 1340 1424 103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe rbygg.exe PID 1424 wrote to memory of 1340 1424 103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe rbygg.exe PID 1424 wrote to memory of 1340 1424 103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe rbygg.exe PID 1424 wrote to memory of 1340 1424 103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe rbygg.exe PID 1340 wrote to memory of 1476 1340 rbygg.exe rbygg.exe PID 1340 wrote to memory of 1476 1340 rbygg.exe rbygg.exe PID 1340 wrote to memory of 1476 1340 rbygg.exe rbygg.exe PID 1340 wrote to memory of 1476 1340 rbygg.exe rbygg.exe PID 1340 wrote to memory of 1476 1340 rbygg.exe rbygg.exe PID 1476 wrote to memory of 940 1476 rbygg.exe WerFault.exe PID 1476 wrote to memory of 940 1476 rbygg.exe WerFault.exe PID 1476 wrote to memory of 940 1476 rbygg.exe WerFault.exe PID 1476 wrote to memory of 940 1476 rbygg.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe"C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_outlook_-_vbc.exe___2b087c00777a630a4100c122f4687783.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\rbygg.exe"C:\Users\Admin\AppData\Local\Temp\rbygg.exe" C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tkt2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\rbygg.exe"C:\Users\Admin\AppData\Local\Temp\rbygg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 364⤵
- Loads dropped DLL
- Program crash
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kddircpspqa.tktFilesize
5KB
MD55def413bb305e22659152545633d4394
SHA1ea186096bc4445be3a749bfe98ff1549f822da5e
SHA25669ac40a2aeebad2a280bb794d8a8f0a2e2d195739b6317d4f94897bc22a51309
SHA512e4917aced9bae7c29d4bb553a8675596719c8ff5e39cd8f034ae897197fd662b596b013311d010b9282fa269ae03fdc6aba27c2e84ba9f350771ff7a022e2144
-
C:\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
C:\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
C:\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
C:\Users\Admin\AppData\Local\Temp\wiidn.oFilesize
185KB
MD5c985ca943df871d4ca23679cb7be7dd7
SHA1a6d315d44a90d685deb4eea6c6778ed2e5f0f575
SHA2562b159ae78ee415b70683cbc5fc7d479b9dc62c127d98afa021f10824ca8fb8ab
SHA5125d471a2a84751b756863e4766f7ec1f288c08482ac365e90726501dc385a99da72a6b7104e7dfeb365926997c7df1aa22f9f9c8b343ed60d53ed868b3e8933c4
-
\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
\Users\Admin\AppData\Local\Temp\rbygg.exeFilesize
267KB
MD58dcd475914550c7b97c0692d42b0b5cc
SHA107f9a2e01086f31881d2b46447a30032ddaf1b75
SHA256408c5d65bd00332fcc1fcdfd1b01e6bcea3ec07d236f2d203977d824c76cdcf4
SHA5125e2f68ba27ef5c5749826e3a7483e3920a5c43101cb8c6d117567d6bae7b87d23b0090e5b75213481b9a0ee1c10b4e437982d8d9de56fce0b37b3e590dd10a23
-
memory/940-64-0x0000000000000000-mapping.dmp
-
memory/1340-56-0x0000000000000000-mapping.dmp
-
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1476-62-0x00000000000812B0-mapping.dmp