8d0d6ef5d40f5086af207d94212c1f8cc737f34eab3b84b8f14ff5a4a50b831b

General

Target

scan copy.exe
Size

859KB
MD5

54a3dd33e8b12aed84551a0fecaa4068
SHA1

637e1d8791e758bcce7a77c18c3c2019105e70e1
SHA256

fa1dd731e06f5a7470f45a3f09f0b39d2e236d022c9a9d6e52828e8214c5893e
SHA512

ed3a361816805a4894eee14de6d9a32d4bc55e1ca8daac9fbb358f6881acbf590bb23b3cfeb8ef16625440bd13e69bad34d8de51a5599f407b94249752268418

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

scan copy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	scan copy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	scan copy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

scan copy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	scan copy.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scan copy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	scan copy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	scan copy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

scan copy.exe

description pid process target process

PID 2864 set thread context of 4816 2864 scan copy.exe scan copy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe

description	pid	process	target process
PID 2864 set thread context of 4816	2864	scan copy.exe	scan copy.exe

pid	process
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

scan copy.exescan copy.exepowershell.exe

pid	process
2864	scan copy.exe
2864	scan copy.exe
2864	scan copy.exe
2864	scan copy.exe
2864	scan copy.exe
4816	scan copy.exe
4816	scan copy.exe
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

scan copy.exescan copy.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2864 scan copy.exe
Token: SeDebugPrivilege 4816 scan copy.exe
Token: SeDebugPrivilege 5048 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2864	scan copy.exe
Token: SeDebugPrivilege	4816	scan copy.exe
Token: SeDebugPrivilege	5048	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

scan copy.exescan copy.execmd.exe

description	pid	process	target process
PID 2864 wrote to memory of 2032	2864	scan copy.exe	schtasks.exe
PID 2864 wrote to memory of 2032	2864	scan copy.exe	schtasks.exe
PID 2864 wrote to memory of 2032	2864	scan copy.exe	schtasks.exe
PID 2864 wrote to memory of 4804	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4804	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4804	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 2864 wrote to memory of 4816	2864	scan copy.exe	scan copy.exe
PID 4816 wrote to memory of 2428	4816	scan copy.exe	cmd.exe
PID 4816 wrote to memory of 2428	4816	scan copy.exe	cmd.exe
PID 4816 wrote to memory of 2428	4816	scan copy.exe	cmd.exe
PID 2428 wrote to memory of 5048	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 5048	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 5048	2428	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\scan copy.exe
"C:\Users\Admin\AppData\Local\Temp\scan copy.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UpyZsPxZaoR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57A5.tmp"
2⤵
- Creates scheduled task(s)
PID:2032

C:\Users\Admin\AppData\Local\Temp\scan copy.exe
"{path}"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\scan copy.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\scan copy.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\scan copy.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan copy.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57A5.tmp

Filesize
1KB

MD5
ed5122d1e8bfb395788b71c60c74ef35

SHA1
c654a2f0d863ba67fd08d4a8bbee18b9a41e98a8

SHA256
71f1f1f885b1d99c73c0b23fe84ddd7eeb458840ceb0ae1cd74f511c021cc02c

SHA512
92dc8c56dca2fe0dd21875b01552ac8215a289cf0bb3f39138cc239feb171028e16f73ee72500e07c0fd57190d2551d8178bd1d281b6fa08f2e5148c4e01b24f

Download Submit
memory/2032-136-0x0000000000000000-mapping.dmp

Download
memory/2428-142-0x0000000000000000-mapping.dmp

Download
memory/2864-131-0x0000000007AF0000-0x0000000008094000-memory.dmp

Filesize
5.6MB

Download
memory/2864-132-0x00000000075E0000-0x0000000007672000-memory.dmp

Filesize
584KB

Download
memory/2864-133-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/2864-134-0x00000000078C0000-0x000000000795C000-memory.dmp

Filesize
624KB

Download
memory/2864-135-0x000000000ED30000-0x000000000ED96000-memory.dmp

Filesize
408KB

Download
memory/2864-130-0x0000000000790000-0x000000000086E000-memory.dmp

Filesize
888KB

Download
memory/4804-138-0x0000000000000000-mapping.dmp

Download
memory/4816-139-0x0000000000000000-mapping.dmp

Download
memory/4816-140-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5048-143-0x0000000000000000-mapping.dmp

Download
memory/5048-144-0x0000000004B20000-0x0000000004B56000-memory.dmp

Filesize
216KB

Download
memory/5048-145-0x00000000052D0000-0x00000000058F8000-memory.dmp

Filesize
6.2MB

Download
memory/5048-146-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/5048-147-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/5048-148-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/5048-149-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-150-0x00000000065E0000-0x00000000065FA000-memory.dmp

Filesize
104KB

Download
memory/5048-152-0x00000000066B0000-0x00000000066D2000-memory.dmp

Filesize
136KB

Download
memory/5048-151-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads