3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794

General

Target

3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe
Size

385KB
MD5

ab9efa39a5aecf383c095401c1b6c658
SHA1

f72409d3048d4c62cc12ceee280750f44e7eb3fc
SHA256

3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794
SHA512

f4ff7547104c9de4c018daa36e7d60612691c4e07573a2bfe7fdf7dbdad9380251dad76a44a97d4c1eb81c1cc4584ce8c41888c892cd4b947061b5fc90964bb2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4036	pVgti.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	pVgti.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\pVgti.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4036	pVgti.exe
4036	pVgti.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	pVgti.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4036	2540	3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe	84
PID 2540 wrote to memory of 4036	2540	3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe	84
PID 4036 wrote to memory of 4480	4036	pVgti.exe	85
PID 4036 wrote to memory of 4480	4036	pVgti.exe	85
PID 4036 wrote to memory of 2396	4036	pVgti.exe	48
PID 4480 wrote to memory of 3504	4480	cmd.exe	87
PID 4480 wrote to memory of 3504	4480	cmd.exe	87
PID 4036 wrote to memory of 2424	4036	pVgti.exe	47
PID 4036 wrote to memory of 2508	4036	pVgti.exe	44
PID 4036 wrote to memory of 3104	4036	pVgti.exe	37

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe
"C:\Users\Admin\AppData\Local\Temp\3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2540
- C:\users\Public\pVgti.exe
  "C:\users\Public\pVgti.exe" C:\Users\Admin\AppData\Local\Temp\3af6d8ae486dc533fdbb81ca77b33765b9652d173c490862b9b7ea9d42f46794.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pVgti.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pVgti.exe" /f
      4⤵
      Adds Run key to start application
      PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2396-132-0x00007FF6DBA10000-0x00007FF6DBD9E000-memory.dmp

Filesize
3.6MB

Download
memory/2508-133-0x00007FF6DBA10000-0x00007FF6DBD9E000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing