Overview

overview

10

Static

static

8

SvHost-3.exe

windows7_x64

10

SvHost-3.exe

windows10_x64

10

Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

Analysis

  • max time kernel
    52s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SvHost-3.exe

  • Size

    1.3MB

  • MD5

    6d0cefa5b7f1744aa5dbc041c50b1709

  • SHA1

    023fe5cafe7f0b32bfaf1b3549785e4d36a13b63

  • SHA256

    c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

  • SHA512

    fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Score
10/10
ouroborosxmrigevasionminerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Decrypt-info.txt

Ransom Note
All your files are encrypted due to security problem with your computer. You should pay money to recover your files. The price depends on how fast do you message us. You should contact us via this email address: BlackSpyro@tutanota.com if you didn't receive any reply, message our second email address: BlackSpyro@mailfence.com We guarantee that if you make payment, all your files will be recovered. You can send few example files. We recover them for you to prove that we can recover your files. Attention: Do not rename encrypted files. Do not try to decrypt your data using third-party software, it may cause permanent data loss. The decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

BlackSpyro@tutanota.com

BlackSpyro@mailfence.com

Signatures

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Drops file in Drivers directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe
    "C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops startup file
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Windows\SysWOW64\net.exe
          net stop MSDTC
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1264
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSDTC
            5⤵
              PID:892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:288
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
            3⤵
              PID:836
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
              3⤵
                PID:1640
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1724
                • C:\Windows\SysWOW64\net.exe
                  net stop SQLSERVERAGENT
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1812
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop SQLSERVERAGENT
                    5⤵
                      PID:1368
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1852
                  • C:\Windows\SysWOW64\net.exe
                    net stop MSSQLSERVER
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:804
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop MSSQLSERVER
                      5⤵
                        PID:1688
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:772
                    • C:\Windows\SysWOW64\net.exe
                      net stop vds
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1520
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop vds
                        5⤵
                          PID:1616
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                      3⤵
                        PID:1716
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh advfirewall set currentprofile state off
                          4⤵
                            PID:1760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                          3⤵
                            PID:396
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall set opmode mode=disable
                              4⤵
                                PID:388
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c net stop SQLWriter
                              3⤵
                                PID:1640
                                • C:\Windows\SysWOW64\net.exe
                                  net stop SQLWriter
                                  4⤵
                                    PID:1684
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop SQLWriter
                                      5⤵
                                        PID:1812
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                                    3⤵
                                      PID:1724
                                      • C:\Windows\SysWOW64\net.exe
                                        net stop SQLBrowser
                                        4⤵
                                          PID:528
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop SQLBrowser
                                            5⤵
                                              PID:804
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                          3⤵
                                            PID:1852
                                            • C:\Windows\SysWOW64\net.exe
                                              net stop MSSQLSERVER
                                              4⤵
                                                PID:1112
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop MSSQLSERVER
                                                  5⤵
                                                    PID:956
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                                3⤵
                                                  PID:1636
                                                  • C:\Windows\SysWOW64\net.exe
                                                    net stop MSSQL$CONTOSO1
                                                    4⤵
                                                      PID:1520
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                                        5⤵
                                                          PID:772
                                                • C:\Windows\system32\NOTEPAD.EXE
                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Decrypt-info.txt
                                                  1⤵
                                                    PID:1608

                                                  Network

                                                  MITRE ATT&CK Matrix ATT&CK v6

                                                  Initial Access

                                                  Execution

                                                  Persistence

                                                  Modify Existing Service

                                                  1
                                                  T1031

                                                  Privilege Escalation

                                                  Defense Evasion

                                                  Credential Access

                                                  Credentials in Files

                                                  1
                                                  T1081

                                                  Discovery

                                                  System Information Discovery

                                                  1
                                                  T1082

                                                  Lateral Movement

                                                  Collection

                                                  Data from Local System

                                                  1
                                                  T1005

                                                  Exfiltration

                                                  Command and Control

                                                  Impact

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\IDk.txt
                                                    MD5

                                                    d3635b8ba50ffabf323452131e233079

                                                    SHA1

                                                    fd20ffe361e5def412a71d4df0da9177f83899b7

                                                    SHA256

                                                    00d86384045c0d308702aa77bb8682c5132fb0ebb153e99018304dcf9f20c08e

                                                    SHA512

                                                    eb125bec66a99c317624da8e4a670705fe829ac6779f7b171bdb5a154a1c26ab6d3d87514e1f8376ed9d4bf792a78d36e9ad8dfd06e64c314bfb0076fe8ab665

                                                    Download Submit
                                                  • C:\ProgramData\pkey.txt
                                                    MD5

                                                    f8c45a865278e2ac3898f21f5c52dd63

                                                    SHA1

                                                    e90c0d87a1b5ff45951ad08fac09a12fbc9cc223

                                                    SHA256

                                                    75a4371f14c16dcbfc1724ee3d0e16503050b260e95a83138e34f22689ca0645

                                                    SHA512

                                                    5f09cb366e8433a504014fd201e4ef0558269f70c1aca5857a13e7fd4af578a7e5ec74a98a8fdd7ee0159e9e5d73dacba40b159eadd88188b131cc29f865e937

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
                                                    MD5

                                                    000e2743bf3cb96cefc4be357765cec3

                                                    SHA1

                                                    62b9b6afc91e349c56ce967985eec229f7db82aa

                                                    SHA256

                                                    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

                                                    SHA512

                                                    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
                                                    MD5

                                                    000e2743bf3cb96cefc4be357765cec3

                                                    SHA1

                                                    62b9b6afc91e349c56ce967985eec229f7db82aa

                                                    SHA256

                                                    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

                                                    SHA512

                                                    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

                                                    Download Submit
                                                  • C:\Users\Admin\Desktop\Decrypt-info.txt
                                                    MD5

                                                    8f354c539d510bed2647d3648fd8faaf

                                                    SHA1

                                                    905a22e60242511e35dfb257952a61e8f2b3f327

                                                    SHA256

                                                    2874f97a4b5b0c4ce7259a25b45f313090c22fcc0a6d274151e941e55356ae8c

                                                    SHA512

                                                    422e63bba5059e4df90b3f598dc29c945ffe023c0459b7ab1f7066407f905ce1d4cd4ddcd6eb9fbc969d150f904940664f8a35feff9c04613ca393e30a1c3399

                                                    Download Submit
                                                  • \Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
                                                    MD5

                                                    000e2743bf3cb96cefc4be357765cec3

                                                    SHA1

                                                    62b9b6afc91e349c56ce967985eec229f7db82aa

                                                    SHA256

                                                    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

                                                    SHA512

                                                    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

                                                    Download Submit
                                                  • \Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
                                                    MD5

                                                    000e2743bf3cb96cefc4be357765cec3

                                                    SHA1

                                                    62b9b6afc91e349c56ce967985eec229f7db82aa

                                                    SHA256

                                                    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

                                                    SHA512

                                                    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

                                                    Download Submit
                                                  • \Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
                                                    MD5

                                                    000e2743bf3cb96cefc4be357765cec3

                                                    SHA1

                                                    62b9b6afc91e349c56ce967985eec229f7db82aa

                                                    SHA256

                                                    126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3

                                                    SHA512

                                                    b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f

                                                    Download Submit
                                                  • memory/288-69-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/388-85-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/396-84-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/528-91-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/552-66-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/572-63-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/772-98-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/772-78-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/804-76-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/804-92-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/836-70-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/892-68-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/956-95-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp
                                                    Filesize

                                                    8KB

                                                    Download
                                                  • memory/1112-94-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1264-67-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1368-74-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1520-97-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1520-79-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1608-101-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
                                                    Filesize

                                                    8KB

                                                    Download
                                                  • memory/1616-80-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1636-96-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1640-71-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1640-87-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1684-88-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1688-77-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1716-81-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1724-90-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1724-72-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1760-82-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1812-89-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1812-73-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1852-93-0x0000000000000000-mapping.dmp
                                                    Download
                                                  • memory/1852-75-0x0000000000000000-mapping.dmp
                                                    Download