Overview
overview
10Static
static
844ad0656ef...d0.dll
windows7_x64
644ad0656ef...d0.dll
windows10_x64
663e28585c6...1b.exe
windows7_x64
863e28585c6...1b.exe
windows10_x64
877d426d73e...f7.exe
windows7_x64
1077d426d73e...f7.exe
windows10_x64
107b79f71dab...a8.exe
windows7_x64
87b79f71dab...a8.exe
windows10_x64
895cff1b536...b3.exe
windows7_x64
1095cff1b536...b3.exe
windows10_x64
10c2ed23b08d...6c.exe
windows7_x64
8c2ed23b08d...6c.exe
windows10_x64
8d10a043f50...fd.exe
windows7_x64
10d10a043f50...fd.exe
windows10_x64
10e265a0c4cb...ed.exe
windows7_x64
7e265a0c4cb...ed.exe
windows10_x64
7Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-02-2021 04:40
Static task
static1
Behavioral task
behavioral1
Sample
44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed.exe
Resource
win10v20201028
General
-
Target
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
scvhost.exepid process 3152 scvhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exescvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.url 63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.url scvhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\d475eb18bfda817ecd99dc12d1e38849 = "\"C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe\" .." scvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d475eb18bfda817ecd99dc12d1e38849 = "\"C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe\" .." scvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
scvhost.exedescription pid process Token: SeDebugPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe Token: 33 3152 scvhost.exe Token: SeIncBasePriorityPrivilege 3152 scvhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exescvhost.exedescription pid process target process PID 1064 wrote to memory of 3152 1064 63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe scvhost.exe PID 1064 wrote to memory of 3152 1064 63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe scvhost.exe PID 3152 wrote to memory of 1352 3152 scvhost.exe netsh.exe PID 3152 wrote to memory of 1352 3152 scvhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe"C:\Users\Admin\AppData\Local\Temp\63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\scvhost.exe"C:\Users\Admin\AppData\Roaming\scvhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\scvhost.exe" "scvhost.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.urlMD5
86fe3657b1ad4a471d3f33bf723cfdf7
SHA1a1f2373ec042f49e6b5ef393a6dcd630b9a2b347
SHA256a76aa95527f45e80abfe0540b79406a76adb097f8e71cfdd11c1bd0c5932c436
SHA512ae54e05980f4fffe7ff250b936835d9281a52f9c1a29f5c6ba2870a395cf7eed53ac1a5e280f177795b4827dd1452e9442365ecad41cd9ea104057105b651751
-
C:\Users\Admin\AppData\Roaming\scvhost.exeMD5
22b5a511813719a44ef83c069a6d6c1e
SHA159a596658a1377cdec3febf1748fc768613c4373
SHA25663e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b
SHA512844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0
-
C:\Users\Admin\AppData\Roaming\scvhost.exeMD5
22b5a511813719a44ef83c069a6d6c1e
SHA159a596658a1377cdec3febf1748fc768613c4373
SHA25663e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b
SHA512844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0
-
C:\Users\Admin\AppData\Roaming\⽈⾥⽈⾥⽄⽾⾶⽛⾢&^.exeMD5
22b5a511813719a44ef83c069a6d6c1e
SHA159a596658a1377cdec3febf1748fc768613c4373
SHA25663e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b
SHA512844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0
-
memory/1064-2-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmpFilesize
9.9MB
-
memory/1064-3-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/1064-5-0x0000000001590000-0x0000000001598000-memory.dmpFilesize
32KB
-
memory/1064-6-0x00000000015D0000-0x00000000015D2000-memory.dmpFilesize
8KB
-
memory/1352-17-0x0000000000000000-mapping.dmp
-
memory/3152-7-0x0000000000000000-mapping.dmp
-
memory/3152-10-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmpFilesize
9.9MB
-
memory/3152-16-0x000000001B4F0000-0x000000001B4F2000-memory.dmpFilesize
8KB