Overview

overview

7

Static

static

5

SUPPLIES LIST.....exe

windows7-x64

7

SUPPLIES LIST.....exe

windows10-2004-x64

7

Resubmissions

01-03-2023 23:22

230301-3c23asab6w 7

01-03-2023 23:20

230301-3bdnbaaf36 7

Analysis

  • max time kernel
    386s
  • max time network
    385s
  • platform
    windows7_x64
  • resource
    win7-20230220-it
  • resource tags

    arch:x64arch:x86image:win7-20230220-itlocale:it-itos:windows7-x64systemwindows
  • submitted
    01-03-2023 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SUPPLIES LIST.....exe

  • Size

    1.1MB

  • MD5

    e98902e8b25c5fd9b076085b4ec07425

  • SHA1

    da75f7df5c4dd88fa452857b27ad7608a1d960a7

  • SHA256

    fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

  • SHA512

    076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

  • SSDEEP

    24576:0RmJkcoQricOIQxiZY1iaDCksbOsMez/Y/Lmog1INgfM/:RJZoQrbTFZY1iaDYfAos

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SUPPLIES LIST.....exe
    "C:\Users\Admin\AppData\Local\Temp\SUPPLIES LIST.....exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn VZOMCK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe /sc minute /mo 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn VZOMCK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe /sc minute /mo 1
        3⤵
        • Creates scheduled task(s)
        PID:636
    • C:\Windows\SysWOW64\WSCript.exe
      WSCript C:\Users\Admin\AppData\Local\Temp\VZOMCK.vbs
      2⤵
        PID:772
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B6768B8E-0124-485E-BF4C-6A217567CDA3} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:1012
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:1060
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:2032
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:1984
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:1708
      • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
        2⤵
        • Executes dropped EXE
        PID:320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VZOMCK.vbs
      Filesize

      854B

      MD5

      b8d0644b20114da7ae2a9e17ae0f85c4

      SHA1

      07be933f96b984cf73afd62574279231b2ae371f

      SHA256

      4facb94515c9c6f88d0998b190c5d99c68eaa30ddc6458ba102ddb59b890e832

      SHA512

      8140d588f844266bd7ee6043d4226f7e61861e0f0a73a5a7b252a3582a1833888036828a0041a671e4618c531978f43c168935248c4aa1d91d8ec0f7fc234f27

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe
      Filesize

      1.1MB

      MD5

      e98902e8b25c5fd9b076085b4ec07425

      SHA1

      da75f7df5c4dd88fa452857b27ad7608a1d960a7

      SHA256

      fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

      SHA512

      076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

      Download Submit