Overview

overview

8

Static

static

URLScan

urlscan

https://serv.autovoi...

windows7_x64

8

Analysis

  • max time kernel
    1184s
  • max time network
    1121s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-07-2021 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://serv.autovoip1008.online/[email protected]
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:516
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1188
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x564
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:880
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT
          4⤵
            PID:1104
        • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
          "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3
          3⤵
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1916
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3"
        2⤵
          PID:2820
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2900

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
        MD5

        876fb27c5b221f7006367a89360e17ca

        SHA1

        76a822f4caec5eb16a7ba4f02e985dfa31d71f69

        SHA256

        8980deba046fd5ed16f0ccf1dca5a0bcb749e2a15eb512ae0802b3883281d9a0

        SHA512

        feab3621dd2c15f18e4ed2f116e98a6f12e51a71d9b0a9abcbdcdf2d3bfe305ce442dbdbdfdc43d688d7ab692ba6763ed10325ecb00c9455bbc205dead77b3a3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        2902de11e30dcc620b184e3bb0f0c1cb

        SHA1

        5d11d14a2558801a2688dc2d6dfad39ac294f222

        SHA256

        e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

        SHA512

        efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        6868b06d3b64b657181a5ed9f854abd6

        SHA1

        ab197646f1b489ca9bc36480e91b229ba6faa09d

        SHA256

        c2deb702cd2ef854eebcaec6fad452703b17a5f3a367667e5c97bb5ea35a9f7b

        SHA512

        ee85b9a94836489d6d0c12d41b6e1e1810e2ad91275ef7d9f5de072cf35056e6bf448c58c45271bf0979e46f9821930d0df4b7cfe09a79d961b05b712e50d75a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        f16fe3987a80d692b27d83d6e040692b

        SHA1

        cb5de7094e7da6b550e25d1062c557c871525e86

        SHA256

        f0ec73b27786c5257783af8396398bd2972d2997ece27d9e225e6646361c56d9

        SHA512

        1d2b92f48caba5034f726dd5d8d4661cbb71403cf3c9aafb557ac585384169d72fbc796393e03c7bb97b6dea0d61423ba3150de4cd253bd1ca21d017f364e87b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        MD5

        9015654b045eac43566037c7d968527f

        SHA1

        a03aa870cb4c98272b9f8bbe5899d902a8eac6ed

        SHA256

        49e394ea41a1d2be75b45a22ddb325426010ab111b9869ccd24d9c9392b934c0

        SHA512

        fc905a0962b9d6145ab2cfafbcf32c645e074ab6a5f7cb236fabff4d0164562e448ad00d33aeaa4583ad7fb034f96bd4f29faf4b3fa2a99e500afb9cd22269e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
        MD5

        9a2c6c21f3e53129c90d1b7d5a3a8b6f

        SHA1

        6bf93e3dcb19b9fec54bf781d4095a67a9fa774e

        SHA256

        135d8589e21ff271bad1dc46b6157b779f1284ff435485c922d0bee12b258118

        SHA512

        334679f482002fcd4ed6fc16bf7c073f40f5dff57edd084f94cef0af966850b1c2cded81e2f527422e979f4151f043dec25ea8f150b3f09548d4516b85f1e1a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
        MD5

        a7970730fe3d463e1e8d28b7c6dca516

        SHA1

        3ef4716637a4fd1018e2de1dfc0d6b4e2cba8f9a

        SHA256

        21fca09d25356fe8435d56cec9116eedc83dffc473dc1ce724e84c93347133e2

        SHA512

        637daca231fd85ca5335871fd85a4ff4a0869f304c2237109daf1a1ae49926507239d2b1697a181496ce10864dd618bf1bc70f286e7b8eedd393e2a50b79c690

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
        MD5

        acb33ea5fe6c44760a991a3c06e5cc78

        SHA1

        ce109d1b670ee585c9dc6002f8fc4bb999af3a8f

        SHA256

        4dc8c3628b529169cca9273de1cfa74f17592056c710c1542c1a1b6b82941c83

        SHA512

        fcff39b1187e969b4c0dbc25a95c477ca47c7ce98753ae550d22e4777b44e682c8602a421471a25057341c17a22cc038cc22914b4a9e4867b342d1bdc9f10cca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UTGVKOXH.txt
        MD5

        ceb2a2bfda4df838b927efd1360c5f99

        SHA1

        36ee31513ed447934a7cd9822cd60bffd511355a

        SHA256

        3cb6ee5349fe8d6a547ff57297646baa9c074e7c71953d11d5ce0b1ee303a84f

        SHA512

        437606e7154a9f26cd1710911b8dd1dd81b76add8ed652b27b503581e95f89142fe173e20936d4f84ad487b75cb7a2bfb1c6f98689958775498740b1ba1fbc51

        Download Submit

      • C:\Users\Admin\Downloads\voicemail_2020_816475_review_voicemail_2021_8009648_098.mp3.lxm5s4c.partial
        MD5

        bfa5569af636dd2a285baf1ea328839f

        SHA1

        863a56e768d4aae943ad2160d1dc3fdf79cdbb45

        SHA256

        c430cd4cf593126c9432d146e67df8104e4ea197ec8deeaaae5245d567e873a4

        SHA512

        67434098f78fcc8694c9a587e8c9b788bab6e043a56dd265bc428a59a20d64c4036f881b7dc05d88d76d6585a8e73d4c2cf3ab18d06a6464d44b16e21397cb77

        Download Submit

      • memory/296-70-0x0000000000000000-mapping.dmp

        Download

      • memory/516-59-0x0000000000000000-mapping.dmp

        Download

      • memory/580-69-0x00000000760B1000-0x00000000760B3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/796-75-0x0000000000000000-mapping.dmp

        Download

      • memory/820-72-0x0000000000000000-mapping.dmp

        Download

      • memory/880-81-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

        Filesize

        8KB

        Download

      • memory/880-74-0x0000000000000000-mapping.dmp

        Download

      • memory/1104-83-0x000007FEF1180000-0x000007FEF1251000-memory.dmp

        Filesize

        836KB

        Download

      • memory/1104-77-0x0000000000000000-mapping.dmp

        Download

      • memory/1916-78-0x0000000000000000-mapping.dmp

        Download

      • memory/1916-82-0x0000000000110000-0x0000000000111000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1916-86-0x00000000049F0000-0x00000000049FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1916-85-0x000000006E960000-0x000000006EA51000-memory.dmp

        Filesize

        964KB

        Download

      • memory/1944-67-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-89-0x0000000003520000-0x0000000003B81000-memory.dmp

        Filesize

        6.4MB

        Download

      • memory/2820-90-0x0000000000000000-mapping.dmp

        Download

      • memory/2900-94-0x0000000003580000-0x0000000003BE1000-memory.dmp

        Filesize

        6.4MB

        Download