Resubmissions
29/03/2023, 08:16
230329-j6fllsha8w 10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29/03/2023, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10v2004-20230220-en
General
-
Target
vbc.exe
-
Size
500KB
-
MD5
4da41093eb4cce80c18d1e6a2391ba80
-
SHA1
c6e1338fb7c3ffc9d39d5362722110e8482216ea
-
SHA256
f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
-
SHA512
43ea46aeeda700e7b7e1f1f3fdede845e8d5723204d854e5452f9af785a20a9a915e1d9e4f44162777f2e5f569eda06904548114667ae05a285a980cb426dcd3
-
SSDEEP
6144:+Ya6HI+QksRbJpnYqzFNZDPln6PJWJIFwYdga6c4jLvw1SxhDUoj+Xxk1Zci2E6e:+Y1I+QkunY8LzlOWi2HjHw1k15FqvK
Malware Config
Extracted
remcos
SixthClients
top.not2beabused01.xyz:1558
sub.not2beabused02.xyz:1558
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
appsync.exe
-
copy_folder
Appsync
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Appsync
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Appsync-TYGH55
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Appsync
-
take_screenshot_option
true
-
take_screenshot_time
55
-
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1972 tqchnnl.exe 860 tqchnnl.exe -
Loads dropped DLL 3 IoCs
pid Process 1992 vbc.exe 1992 vbc.exe 1972 tqchnnl.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" tqchnnl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 860 1972 tqchnnl.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 860 tqchnnl.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1972 tqchnnl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 860 tqchnnl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1972 1992 vbc.exe 26 PID 1992 wrote to memory of 1972 1992 vbc.exe 26 PID 1992 wrote to memory of 1972 1992 vbc.exe 26 PID 1992 wrote to memory of 1972 1992 vbc.exe 26 PID 1972 wrote to memory of 860 1972 tqchnnl.exe 27 PID 1972 wrote to memory of 860 1972 tqchnnl.exe 27 PID 1972 wrote to memory of 860 1972 tqchnnl.exe 27 PID 1972 wrote to memory of 860 1972 tqchnnl.exe 27 PID 1972 wrote to memory of 860 1972 tqchnnl.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58bba552e868d530af56dadd00d38ce78
SHA1e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
496KB
MD5b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA2566a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f
-
Filesize
144B
MD5fb8e60c78b1b14bc0f9d256734d6d229
SHA1d0555bf1738d10ac8539dc8308638b5f20d66904
SHA25641796fabc840d864cd58ab913c80707db2f23b2e5a0315ed8bc21028bcf56d02
SHA5120808b5c5c4d2da274eac17ac67dc6f6f55f0f9f8cfa522eb1889fd640aa46f701a38b679ff1d14268556420bc86b2e6b9961ea95dfef28c5392c3c50e9f44461
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c
-
Filesize
34KB
MD578d3f22fed32bf75725573cf8df7d666
SHA12e0c049c4b58a7db1259bfa7023473ebe6785025
SHA2564a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c