0bcaaad38d8ff5881dae662a481b5f64bfeb71a40bf27d61a35889e7667ce44a

Analysis

max time kernel
61s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sherack.exe
Size

268KB
MD5

89207e12f1f61594121f8b2e0bb9ff24
SHA1

6e51e8953ca7e102edca4bd5d8c5481a2e83054e
SHA256

0bcaaad38d8ff5881dae662a481b5f64bfeb71a40bf27d61a35889e7667ce44a
SHA512

186f20113a0986d34e2a5f6a5a8daebae8f023bb8dffcb6db840a82bd1eee9889858629c64207fd30b520695358464903a299c4b1183ec332cc35db73cddd29a
SSDEEP

6144:MYa69qoOJjNMKFSfJvFB6/8UtLkp8JOijJw8H:MYmMWSBvzGtIGOiVH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4868	vlsovttsv.exe
3052	vlsovttsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pttfvuxl = "C:\\Users\\Admin\\AppData\\Roaming\\eldmbwmuflaoex\\ejyilf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vlsovttsv.exe\" C:\\Users\\Admin\\AppData\\"	vlsovttsv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 3052	4868	vlsovttsv.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4868	vlsovttsv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4868	916	sherack.exe	79
PID 916 wrote to memory of 4868	916	sherack.exe	79
PID 916 wrote to memory of 4868	916	sherack.exe	79
PID 4868 wrote to memory of 3052	4868	vlsovttsv.exe	80
PID 4868 wrote to memory of 3052	4868	vlsovttsv.exe	80
PID 4868 wrote to memory of 3052	4868	vlsovttsv.exe	80
PID 4868 wrote to memory of 3052	4868	vlsovttsv.exe	80

C:\Users\Admin\AppData\Local\Temp\sherack.exe
"C:\Users\Admin\AppData\Local\Temp\sherack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe
  "C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe" C:\Users\Admin\AppData\Local\Temp\obbqussgc.ppc
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe
    "C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe"
    3⤵
    - Executes dropped EXE
    PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kxptkiwes.x

Filesize
163KB

MD5
7dda37ab2886c281f7e51224d354c6eb

SHA1
03010604300bb3e79543c92a9126e863f3a9698b

SHA256
6ee6679d91d25a68ddcaaace5fee44620d96abf1da05c43f97dc5da5fc6079e6

SHA512
caa3aa4d599f6df26d3063cecb3e52724bff40934588fd906c2e3bcd29ef0ba65bf73216cbea8a8ba992c010d484e209906063bef4ca74b731373bb7785ba6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\obbqussgc.ppc

Filesize
7KB

MD5
0a1ab9c6854237c196d482b7a9d748ac

SHA1
27336130f95830a427eedb6620ff282259d5f7ed

SHA256
f08cab43b79c580cce9bc223114c8ca29df76b34a33eca37bd16fb2d41ff3a23

SHA512
f773a073c2a9ef274ed2e880db416b8c54eaf69baec3d1adfd616902f4b14c1cedcb9954c84d6ace7f8e28b180d80b587cfc5b6ab006c34325db22480d9d13f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe

Filesize
84KB

MD5
1e5bea7bfb68649a840510f3e9d3b49f

SHA1
41dc30e133ed7dd9b42964d709cce7e83bdcc864

SHA256
145d6eebc06c82f3ea8ab4201e4544d3227c5fd0a6f4cbd5ffe7afd74991665f

SHA512
a7375cc5a4586a790cd295b6f719d805922fac43004e1b826215f64493f99606a2f142c3915806979076b75ac9e10a079ceb2511bffe8a70380ac8966e040460

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe

Filesize
84KB

MD5
1e5bea7bfb68649a840510f3e9d3b49f

SHA1
41dc30e133ed7dd9b42964d709cce7e83bdcc864

SHA256
145d6eebc06c82f3ea8ab4201e4544d3227c5fd0a6f4cbd5ffe7afd74991665f

SHA512
a7375cc5a4586a790cd295b6f719d805922fac43004e1b826215f64493f99606a2f142c3915806979076b75ac9e10a079ceb2511bffe8a70380ac8966e040460

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlsovttsv.exe

Filesize
84KB

MD5
1e5bea7bfb68649a840510f3e9d3b49f

SHA1
41dc30e133ed7dd9b42964d709cce7e83bdcc864

SHA256
145d6eebc06c82f3ea8ab4201e4544d3227c5fd0a6f4cbd5ffe7afd74991665f

SHA512
a7375cc5a4586a790cd295b6f719d805922fac43004e1b826215f64493f99606a2f142c3915806979076b75ac9e10a079ceb2511bffe8a70380ac8966e040460

Download Submit
memory/3052-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3052-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download