Analysis
-
max time kernel
103s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/12/2022, 17:47
General
-
Target
VMware-workstation-full-17.0.0-20800274.exe
-
Size
607.9MB
-
MD5
cb7adf6d87af6575f35da9974a3b46b9
-
SHA1
d244b21b197943b706a2c2b4ae5b82109d55fbf1
-
SHA256
977e44df8ad7ea6f80ca14a1f817a65a38bb1660d1b776d4ad80577d9d52c2c7
-
SHA512
0a0f89c70c900b7a39803d0a39d7c5eb55ab7d194dfd49dbc5a4d236761eca38be02947a638405aae18562b052d0b3c54604811aa4e510f530496b3249f673c0
-
SSDEEP
12582912:nRK04jaCxy21Zp8b0geTklQFdinUqd4buHT9GqryfTUDe0mhlJvYW:nRK08afJ0geAlQFdinUe4b9qe4De0mhP
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-17.0.0-20800274.exe"C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-17.0.0-20800274.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe" /Q /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{FDC7DAAE-414D-4FE3-803F-33C920277394}\.cr\vcredist_x86.exe"C:\Windows\Temp\{FDC7DAAE-414D-4FE3-803F-33C920277394}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0E992720-1330-4AB3-8155-255F79785535}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{FF8F7C21-59A2-4D0D-B40E-87F1A2B9578D}\.be\VC_redist.x86.exe"C:\Windows\Temp\{FF8F7C21-59A2-4D0D-B40E-87F1A2B9578D}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6B7BC0D0-35C7-4949-AD18-1D32CC1072A8} {F271B72D-519D-41C8-822D-E45446244DFE} 46364⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 15084⤵
- Program crash
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4636 -ip 46361⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x5241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD54df5dde302a87e2e85351af689892fcf
SHA1ae587be1c1ad6d58fbe73d43ce1ea0771d774ba7
SHA2562acbfe92157c1cf1a7b524a9325824046d83dbfa3feb1cbd4dd02a42e020f77c
SHA512d10f98f221b79b77fe92f93ac09d34c53c1e58b690dd61b6f770d892d7619b5fa38edb2c0800ce2dec715e6c2d3f46848c5a4a3b25b64967eebc05eaa0afade3
-
Filesize
13.1MB
MD54df5dde302a87e2e85351af689892fcf
SHA1ae587be1c1ad6d58fbe73d43ce1ea0771d774ba7
SHA2562acbfe92157c1cf1a7b524a9325824046d83dbfa3feb1cbd4dd02a42e020f77c
SHA512d10f98f221b79b77fe92f93ac09d34c53c1e58b690dd61b6f770d892d7619b5fa38edb2c0800ce2dec715e6c2d3f46848c5a4a3b25b64967eebc05eaa0afade3
-
Filesize
634KB
MD5ff6e9c111f04dd7b06691bed6d8f0db2
SHA1211c95ea9f7452afc1edebca6e303fba84936fa1
SHA25605981b519a2a45407b5c8a213f04ad4caff964b2a9ae916d9269c01b45897eb1
SHA5127beb492a3327670e19878c66a9e4b1bc45727146a14e9f79b642c94abf4d7a9ebf647428739448c447eadc6b045f0c0c750908577456520e341d4e62eff0ae0f
-
Filesize
634KB
MD5ff6e9c111f04dd7b06691bed6d8f0db2
SHA1211c95ea9f7452afc1edebca6e303fba84936fa1
SHA25605981b519a2a45407b5c8a213f04ad4caff964b2a9ae916d9269c01b45897eb1
SHA5127beb492a3327670e19878c66a9e4b1bc45727146a14e9f79b642c94abf4d7a9ebf647428739448c447eadc6b045f0c0c750908577456520e341d4e62eff0ae0f
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
634KB
MD5ff6e9c111f04dd7b06691bed6d8f0db2
SHA1211c95ea9f7452afc1edebca6e303fba84936fa1
SHA25605981b519a2a45407b5c8a213f04ad4caff964b2a9ae916d9269c01b45897eb1
SHA5127beb492a3327670e19878c66a9e4b1bc45727146a14e9f79b642c94abf4d7a9ebf647428739448c447eadc6b045f0c0c750908577456520e341d4e62eff0ae0f
-
Filesize
634KB
MD5ff6e9c111f04dd7b06691bed6d8f0db2
SHA1211c95ea9f7452afc1edebca6e303fba84936fa1
SHA25605981b519a2a45407b5c8a213f04ad4caff964b2a9ae916d9269c01b45897eb1
SHA5127beb492a3327670e19878c66a9e4b1bc45727146a14e9f79b642c94abf4d7a9ebf647428739448c447eadc6b045f0c0c750908577456520e341d4e62eff0ae0f