Analysis
-
max time kernel
13s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-06-2021 12:06
General
-
Target
mvs.exe
-
Size
476KB
-
MD5
faf25564825a05a4c01870cdc0535525
-
SHA1
54d7f92637e31e4c1aed0a58b690d7d99886c380
-
SHA256
82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b
-
SHA512
b44be2421a074ea986336b0c179a6d416c845ae44b4ca67d31594506bd79a3fdfa2907d7bcf7b3c46f1d942e0b057fbd8bce3a02bceb5bf91e1e70c30a57f0db
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mvs.exe"C:\Users\Admin\AppData\Local\Temp\mvs.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\temp\a.exe"C:\windows\temp\a.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2773.tmp\a.bat" "C:\windows\temp\a.exe""3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo /fo list4⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\find.exeFind /i "OS Name: "4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "OS Version: "4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "System Model:"4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "System Manufacturer: "4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "BIOS Version:"4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "Total Physical Memory: "4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "Time Zone:"4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "DHCP Server:"4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "Connection Name:"4⤵
-
-
C:\Windows\SysWOW64\find.exeFind /i "Original Install Date: "4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKLM\Hardware\Description\System\CentralProcessor\0 /v Identifier4⤵
- Checks processor information in registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\find.exeFind /i "x86"4⤵
-
-
C:\Windows\SysWOW64\getmac.exegetmac /nh4⤵
-
-
C:\Windows\SysWOW64\reg.exeReg query "HKEY_CLASSES_ROOT\http\shell\open\command" /ve4⤵
-
-
C:\Windows\SysWOW64\findstr.exeFindstr /i "Program Files" c:\windows\temp\c.txt4⤵
-
-
C:\Windows\SysWOW64\reg.exeReg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v SVCversion4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v SVCversion4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeReg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v SVCversion5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" /v CurrentVersion4⤵
-
C:\Windows\SysWOW64\reg.exeReg query "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" /v CurrentVersion5⤵
-
-
-
C:\Windows\SysWOW64\reg.exeReg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin" /v DisplayVersion4⤵
-
-
C:\Windows\SysWOW64\findstr.exeFindstr /i "REG_SZ" c:\windows\temp\123.txt4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\SOFTWARE\Adobe\Acrobat Reader"4⤵
-
-
C:\Windows\SysWOW64\reg.exeReg query "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in"4⤵
-
-
C:\Windows\SysWOW64\findstr.exeFindstr /i "1" c:\windows\temp\123.txt4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "5\.1\."4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query mpssvc | findstr /i "STATE"4⤵
-
C:\Windows\SysWOW64\sc.exesc query mpssvc5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "STATE"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query mpssvc | findstr /i "installed"4⤵
-
C:\Windows\SysWOW64\sc.exesc query mpssvc5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "installed"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query wuauserv | findstr /i "STATE"4⤵
-
C:\Windows\SysWOW64\sc.exesc query wuauserv5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "STATE"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query wuauserv | findstr /i "installed"4⤵
-
C:\Windows\SysWOW64\sc.exesc query wuauserv5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "installed"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query wscsvc | findstr /i "STATE"4⤵
-
C:\Windows\SysWOW64\sc.exesc query wscsvc5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "STATE"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query wscsvc | findstr /i "installed"4⤵
-
C:\Windows\SysWOW64\sc.exesc query wscsvc5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "installed"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query msiserver | findstr /i "STATE"4⤵
-
C:\Windows\SysWOW64\sc.exesc query msiserver5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "STATE"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc query msiserver | findstr /i "installed"4⤵
-
C:\Windows\SysWOW64\sc.exesc query msiserver5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "installed"5⤵
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\windows\temp\Report.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
-