Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-02-2022 10:34
Static task
static1
Behavioral task
behavioral1
Sample
edadf30df18e6a7ea190041cf3bd4a0b.exe
Resource
win7-en-20211208
General
-
Target
edadf30df18e6a7ea190041cf3bd4a0b.exe
-
Size
366KB
-
MD5
edadf30df18e6a7ea190041cf3bd4a0b
-
SHA1
b33c269642bf42b8c71988b9ddbe298e00b65ef1
-
SHA256
3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
-
SHA512
0a22b64f763aa5bf471e2b889899665fa060ae4bd2288c2dd07731aa7411c7d6c2be0c0e3d619adcf064a1815f4a9f641815076970bb690d1ef9390811a1a810
Malware Config
Signatures
-
GoldenSpy Payload 8 IoCs
Processes:
resource yara_rule \Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload \Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload -
suricata: ET MALWARE GoldenSpy Domain Observed
suricata: ET MALWARE GoldenSpy Domain Observed
-
Executes dropped EXE 6 IoCs
Processes:
svm.exesvmm.exesvm.exesvmm.exesvmm.exesvm.exepid process 1548 svm.exe 800 svmm.exe 268 svm.exe 776 svmm.exe 568 svmm.exe 576 svm.exe -
Loads dropped DLL 4 IoCs
Processes:
edadf30df18e6a7ea190041cf3bd4a0b.exepid process 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
svm.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
edadf30df18e6a7ea190041cf3bd4a0b.exesvm.exedescription ioc process File created C:\Program Files (x86)\svm\svm.exe edadf30df18e6a7ea190041cf3bd4a0b.exe File opened for modification C:\Program Files (x86)\svm\log\20220204-svm.log svm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 24 IoCs
Processes:
svm.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E} svm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E}\WpadNetworkName = "Network 3" svm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-cb-a0-2b-6b-88 svm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-cb-a0-2b-6b-88\WpadDecisionTime = 00c18b89b819d801 svm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f016e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E}\WpadDecisionReason = "1" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E}\WpadDecision = "0" svm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E}\1e-cb-a0-2b-6b-88 svm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svm.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1673B1B1-7AE6-4737-A41B-28245319810E}\WpadDecisionTime = 00c18b89b819d801 svm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svm.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-cb-a0-2b-6b-88\WpadDecisionReason = "1" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-cb-a0-2b-6b-88\WpadDecision = "0" svm.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svm.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
edadf30df18e6a7ea190041cf3bd4a0b.exesvmm.exesvm.exepid process 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe 568 svmm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe 576 svm.exe 568 svmm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
edadf30df18e6a7ea190041cf3bd4a0b.exedescription pid process target process PID 2036 wrote to memory of 1548 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 1548 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 1548 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 1548 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 800 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 800 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 800 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 800 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 268 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 268 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 268 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 268 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svm.exe PID 2036 wrote to memory of 776 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 776 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 776 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe PID 2036 wrote to memory of 776 2036 edadf30df18e6a7ea190041cf3bd4a0b.exe svmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edadf30df18e6a7ea190041cf3bd4a0b.exe"C:\Users\Admin\AppData\Local\Temp\edadf30df18e6a7ea190041cf3bd4a0b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe" -i2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe" -i2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe" -start2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe" -start2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\svm\svm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
C:\Program Files (x86)\svm\svm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
C:\Program Files (x86)\svm\svm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
C:\Program Files (x86)\svm\svmm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
C:\Program Files (x86)\svm\svmm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
C:\Program Files (x86)\svm\svmm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
\Program Files (x86)\svm\svm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
\Program Files (x86)\svm\svmm.exeMD5
2c5557250cbd3f7ff3f778aa4fc6e479
SHA11aa93b29564cfcdff0f3a29058906b08bf44ea1e
SHA256a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269
SHA512a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25
-
\Users\Admin\AppData\Local\Temp\nsqDCD7.tmp\processwork.dllMD5
0a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
\Users\Admin\AppData\Local\Temp\nsqDCD7.tmp\processwork.dllMD5
0a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
memory/2036-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB