Overview
overview
10Static
static
10malware/EinTT.exe
windows7-x64
10malware/EinTT.exe
windows10-2004-x64
10malware/fox.exe
windows7-x64
3malware/fox.exe
windows10-2004-x64
3malware/guJPO.exe
windows7-x64
10malware/guJPO.exe
windows10-2004-x64
10malware/loader1.exe
windows7-x64
10malware/loader1.exe
windows10-2004-x64
7dnjdbaa.exe
windows7-x64
3dnjdbaa.exe
windows10-2004-x64
3malware/regasm.exe
windows7-x64
10malware/regasm.exe
windows10-2004-x64
10malware/vbc.exe
windows7-x64
10malware/vbc.exe
windows10-2004-x64
7rywcikv.exe
windows7-x64
3rywcikv.exe
windows10-2004-x64
3malware/vbc1.exe
windows7-x64
10malware/vbc1.exe
windows10-2004-x64
7eblupydfzx.exe
windows7-x64
3eblupydfzx.exe
windows10-2004-x64
3malware/vbc2.exe
windows7-x64
10malware/vbc2.exe
windows10-2004-x64
7ioatgumevw.exe
windows7-x64
3ioatgumevw.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 20:32
Behavioral task
behavioral1
Sample
malware/EinTT.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
malware/EinTT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
malware/fox.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
malware/fox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
malware/guJPO.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
malware/guJPO.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
malware/loader1.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
malware/loader1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
dnjdbaa.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
dnjdbaa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
malware/regasm.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
malware/regasm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
malware/vbc.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
malware/vbc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
rywcikv.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
rywcikv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
malware/vbc1.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
malware/vbc1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
eblupydfzx.exe
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
eblupydfzx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
malware/vbc2.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
malware/vbc2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
ioatgumevw.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
ioatgumevw.exe
Resource
win10v2004-20241007-en
General
-
Target
malware/vbc.exe
-
Size
231KB
-
MD5
72b2e84c1aec86b5c955ff098d7fd8b7
-
SHA1
20f9c563206eff907cfad0723988de58872bc93e
-
SHA256
1b26f49cdc29c81ea4d8f5571349e835662bca7881608dce0d13e86798dd9ac4
-
SHA512
e5d062f0b105332ffa06f3e13c5ecc0dd66fc58bb631f31bd85b4a60f138ff2e127550eec6dbd47cb644ea2def1aa1fcb473a4db2c36752946798998e2adadaa
-
SSDEEP
6144:HNeZmGsX4gDALdTQQNUofXRkvlNEH/T2UfL:HNlGsXP0+QNUoINeq6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4132 rywcikv.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1856 4132 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rywcikv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4132 5060 vbc.exe 83 PID 5060 wrote to memory of 4132 5060 vbc.exe 83 PID 5060 wrote to memory of 4132 5060 vbc.exe 83 PID 4132 wrote to memory of 2132 4132 rywcikv.exe 84 PID 4132 wrote to memory of 2132 4132 rywcikv.exe 84 PID 4132 wrote to memory of 2132 4132 rywcikv.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware\vbc.exe"C:\Users\Admin\AppData\Local\Temp\malware\vbc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\rywcikv.exeC:\Users\Admin\AppData\Local\Temp\rywcikv.exe C:\Users\Admin\AppData\Local\Temp\tmogtpc2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\rywcikv.exeC:\Users\Admin\AppData\Local\Temp\rywcikv.exe C:\Users\Admin\AppData\Local\Temp\tmogtpc3⤵PID:2132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 5283⤵
- Program crash
PID:1856
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4132 -ip 41321⤵PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD521f599b33d9f3a8ca3d08426d239734e
SHA15f210888f57e03d5b888487b3b8e0317c8d0541d
SHA2563e9b6fdc2ef03d3ce4153f7afbb72ecec4ff6d7d0a01f2953b0288e479421adf
SHA51224cc265cceb2ea7bd40c9be85fb788b4a3b5bf5300fc6507aac00097124c574ba2afb028f0485312575a92f3de70c25abeac4f879f833201997b1382ce3177ad
-
Filesize
4KB
MD51c8099bf75f0b18987ddfdde63e52d60
SHA1d613404fd561ed3bcb44d1d9e949dc08bb7950ca
SHA256d16719d16c1da558db23766d79a44613e3ca6519d2fc81a167b62d8e39ede0e3
SHA5127bd7df1775ad0cf9d6be44019104ddde47180da262aabb1c900aa36727c73343c9f33a0e72f5bd119dba4f9937117faac47d0d2dddf1876da1ffb0f4136623c9
-
Filesize
4KB
MD5a21c8cb7478d2c976f0e54115bcabad4
SHA1e7474a6503e7d6720745264585ec2211d6ea0971
SHA2569da18fd1aec201c5ea38fb6bccd95dfd0067b62703b002f00442edcd800e6c10
SHA5120dd849ca1233fb31cbbb8c3ebcca56be9f37b74fe5af1a83bb2b33cf45d62adcee23e9caed0231b30da5e868d35395e2b399697404c9ddb06371e5ba9f2467f2