Overview
overview
10Static
static
10malware/EinTT.exe
windows7-x64
10malware/EinTT.exe
windows10-2004-x64
10malware/fox.exe
windows7-x64
3malware/fox.exe
windows10-2004-x64
3malware/guJPO.exe
windows7-x64
10malware/guJPO.exe
windows10-2004-x64
10malware/loader1.exe
windows7-x64
10malware/loader1.exe
windows10-2004-x64
7dnjdbaa.exe
windows7-x64
3dnjdbaa.exe
windows10-2004-x64
3malware/regasm.exe
windows7-x64
10malware/regasm.exe
windows10-2004-x64
10malware/vbc.exe
windows7-x64
10malware/vbc.exe
windows10-2004-x64
7rywcikv.exe
windows7-x64
3rywcikv.exe
windows10-2004-x64
3malware/vbc1.exe
windows7-x64
10malware/vbc1.exe
windows10-2004-x64
7eblupydfzx.exe
windows7-x64
3eblupydfzx.exe
windows10-2004-x64
3malware/vbc2.exe
windows7-x64
10malware/vbc2.exe
windows10-2004-x64
7ioatgumevw.exe
windows7-x64
3ioatgumevw.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 20:32
Behavioral task
behavioral1
Sample
malware/EinTT.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
malware/EinTT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
malware/fox.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
malware/fox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
malware/guJPO.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
malware/guJPO.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
malware/loader1.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
malware/loader1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
dnjdbaa.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
dnjdbaa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
malware/regasm.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
malware/regasm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
malware/vbc.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
malware/vbc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
rywcikv.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
rywcikv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
malware/vbc1.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
malware/vbc1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
eblupydfzx.exe
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
eblupydfzx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
malware/vbc2.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
malware/vbc2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
ioatgumevw.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
ioatgumevw.exe
Resource
win10v2004-20241007-en
General
-
Target
malware/vbc2.exe
-
Size
265KB
-
MD5
aad8885345c5d145c8cb22292332fb38
-
SHA1
b7c01db77c5cd491bee82e125d4783175a1f73b7
-
SHA256
0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb
-
SHA512
70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09
-
SSDEEP
6144:HNeZmORhwi08GOs8RuAR3F7saaLIcscJY6pYQsFle2ujpLiFAD:HNlchakNRJKTsN6pYbFlgt7D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1808 ioatgumevw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4768 1808 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioatgumevw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4648 wrote to memory of 1808 4648 vbc2.exe 82 PID 4648 wrote to memory of 1808 4648 vbc2.exe 82 PID 4648 wrote to memory of 1808 4648 vbc2.exe 82 PID 1808 wrote to memory of 396 1808 ioatgumevw.exe 83 PID 1808 wrote to memory of 396 1808 ioatgumevw.exe 83 PID 1808 wrote to memory of 396 1808 ioatgumevw.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe"C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exeC:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exeC:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin3⤵PID:396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 5243⤵
- Program crash
PID:4768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1808 -ip 18081⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5c0fcdf6c83060610bfd06a232dbce163
SHA1aeaa28e293eba2347e1a29608cb41f4646cd92f6
SHA2569f8d2ff465ce5caba6ade5e7dbfd5a349980ccaf780412aaa8e2685ba88bb31f
SHA512d2ab68ee32efb8c1c5614e7d8a47728f097e8f7a30ede3c5c5d805ba2c20ed7bbd8cb5242c12de852b23fb5d52ded82058fb1cbbc211bfe027b3b4aad352b78b
-
Filesize
4KB
MD5f88371b8ec4dc631943fe54a227707dc
SHA1a127b7a645f9468105a31109a3572960004a7316
SHA2566ea31176202a06bbfd787b91c64c8ac55cd8e2c817e37d556576133334a3614b
SHA512b4d04bf47e643845e97da626f62dcd5ac3611508300769bb2840fbde88ecbc2229cadd0ef3b2b50ab36042e9e31c71211e4d335871f15840ec5aa3bd5244c1ef
-
Filesize
5KB
MD5cbac7f599beb8247e95dd1ba7a84636e
SHA1cc8fec2fba79fa494d8fb41dc1fea3d8a18343f2
SHA256cbb92fe48e868dd2bf0138d48faa7e6573340928d5e253ed93599aa357a2d0e3
SHA5125494afa3bd99f09574420e535e8b584bf21a56d3e4cea58668a2efa5ba623cc7f971a3dd6f905737b9ab30d6af0bc50bc7e6f2aef7f9e5086cdf3808b9ca1a35