Overview

overview

10

Static

static

8

44ad0656ef...d0.dll

windows7_x64

6

44ad0656ef...d0.dll

windows10_x64

6

63e28585c6...1b.exe

windows7_x64

8

63e28585c6...1b.exe

windows10_x64

8

77d426d73e...f7.exe

windows7_x64

10

77d426d73e...f7.exe

windows10_x64

10

7b79f71dab...a8.exe

windows7_x64

8

7b79f71dab...a8.exe

windows10_x64

8

95cff1b536...b3.exe

windows7_x64

10

95cff1b536...b3.exe

windows10_x64

10

c2ed23b08d...6c.exe

windows7_x64

8

c2ed23b08d...6c.exe

windows10_x64

8

d10a043f50...fd.exe

windows7_x64

10

d10a043f50...fd.exe

windows10_x64

10

e265a0c4cb...ed.exe

windows7_x64

7

e265a0c4cb...ed.exe

windows10_x64

7

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-02-2021 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
    "C:\Users\Admin\AppData\Local\Temp\63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\scvhost.exe" "scvhost.exe" ENABLE
        3⤵
          PID:1352

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.url
      MD5

      86fe3657b1ad4a471d3f33bf723cfdf7

      SHA1

      a1f2373ec042f49e6b5ef393a6dcd630b9a2b347

      SHA256

      a76aa95527f45e80abfe0540b79406a76adb097f8e71cfdd11c1bd0c5932c436

      SHA512

      ae54e05980f4fffe7ff250b936835d9281a52f9c1a29f5c6ba2870a395cf7eed53ac1a5e280f177795b4827dd1452e9442365ecad41cd9ea104057105b651751

      Download Submit
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      MD5

      22b5a511813719a44ef83c069a6d6c1e

      SHA1

      59a596658a1377cdec3febf1748fc768613c4373

      SHA256

      63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b

      SHA512

      844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      MD5

      22b5a511813719a44ef83c069a6d6c1e

      SHA1

      59a596658a1377cdec3febf1748fc768613c4373

      SHA256

      63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b

      SHA512

      844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.exe
      MD5

      22b5a511813719a44ef83c069a6d6c1e

      SHA1

      59a596658a1377cdec3febf1748fc768613c4373

      SHA256

      63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b

      SHA512

      844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0

      Download Submit
    • memory/1064-2-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1064-3-0x0000000000F70000-0x0000000000F71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1064-5-0x0000000001590000-0x0000000001598000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1064-6-0x00000000015D0000-0x00000000015D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1352-17-0x0000000000000000-mapping.dmp
      Download
    • memory/3152-7-0x0000000000000000-mapping.dmp
      Download
    • memory/3152-10-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3152-16-0x000000001B4F0000-0x000000001B4F2000-memory.dmp
      Filesize

      8KB

      Download