Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 01:44

General

  • Target

    Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

  • Size

    370KB

  • MD5

    2aea3b217e6a3d08ef684594192cafc8

  • SHA1

    3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

  • SHA256

    0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

  • SHA512

    ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

  • SSDEEP

    6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Vipasana\Ransomware.Vipasana\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Vipasana\Ransomware.Vipasana\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
      "C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQVG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          4⤵
            PID:4080
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1292,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
      1⤵
        PID:5084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

        Filesize

        3.4MB

        MD5

        e0a859c9ca126a66647258039576eccf

        SHA1

        eb4a9f2e0a1bb45ffcb9577f5a7b0c33e3b1622b

        SHA256

        223460e852726e0df7fa945df100d06d67fbbd737b0edb350c7ca4b21c1ed0c7

        SHA512

        a4346917bb79024c0b605537c741722ea479afa74584cc363600cd9a421cb05d3d62d015f8bc7a832d535f43501e6755b2e1876582b9f469b623ac82ef36cf2a

      • C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

        Filesize

        370KB

        MD5

        2aea3b217e6a3d08ef684594192cafc8

        SHA1

        3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

        SHA256

        0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

        SHA512

        ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

      • C:\Users\Admin\AppData\Local\Temp\IEQVG.bat

        Filesize

        309B

        MD5

        e5e246fbb80355980bc2f0c34393c179

        SHA1

        cef891029fbe3a908474ec382bb81b229a6ee719

        SHA256

        cc7ee23a53c67d7fe314b1fd5a0358ef644484b459ade78161ee4880b0f1b984

        SHA512

        e4eb9fa862badc94eaaf2bb26dac880e161ad67fa91befc692f580a6e88350ec30fbb733dac2275ffaacf44c2b0c78679d181823d5a17386b284bac831516028

      • memory/1428-30-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-805-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-1094-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-1702-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-2076-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-2101-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-2114-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1428-2126-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

      • memory/1632-8-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB