Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
Resource
win10v2004-20220414-en
General
-
Target
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe
-
Size
69KB
-
MD5
04ee19dcd3079ca37c8f829d2b30513f
-
SHA1
185f80cc3e7aa3ca8148bc83f240d3789d7e0706
-
SHA256
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
-
SHA512
1d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
V3Lite.exepid process 624 V3Lite.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe -
Drops startup file 2 IoCs
Processes:
V3Lite.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\257e54d5487aae3e024df308f1deeed9.exe V3Lite.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\257e54d5487aae3e024df308f1deeed9.exe V3Lite.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
V3Lite.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\257e54d5487aae3e024df308f1deeed9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V3Lite.exe\" .." V3Lite.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\257e54d5487aae3e024df308f1deeed9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V3Lite.exe\" .." V3Lite.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exeV3Lite.exedescription pid process Token: SeDebugPrivilege 4880 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe Token: SeDebugPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe Token: 33 624 V3Lite.exe Token: SeIncBasePriorityPrivilege 624 V3Lite.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exeV3Lite.exedescription pid process target process PID 4880 wrote to memory of 624 4880 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe V3Lite.exe PID 4880 wrote to memory of 624 4880 3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe V3Lite.exe PID 624 wrote to memory of 4516 624 V3Lite.exe netsh.exe PID 624 wrote to memory of 4516 624 V3Lite.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe"C:\Users\Admin\AppData\Local\Temp\3780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exe"C:\Users\Admin\AppData\Local\Temp\V3Lite.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\V3Lite.exe" "V3Lite.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exeFilesize
69KB
MD504ee19dcd3079ca37c8f829d2b30513f
SHA1185f80cc3e7aa3ca8148bc83f240d3789d7e0706
SHA2563780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
SHA5121d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
-
C:\Users\Admin\AppData\Local\Temp\V3Lite.exeFilesize
69KB
MD504ee19dcd3079ca37c8f829d2b30513f
SHA1185f80cc3e7aa3ca8148bc83f240d3789d7e0706
SHA2563780704d28e73654b31a312c7887a202f3b28a15046d0a314f1ba0373e5362dd
SHA5121d9ed9e96d4c0ef1aae4aa6c5e5bbbb6ac11f8c8eb9369134aea962caa652469c2a35ba2a961411071bb9dfba8485fee1827f9633217d2947744261ed08a9da5
-
memory/624-132-0x0000000000000000-mapping.dmp
-
memory/624-135-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmpFilesize
10.8MB
-
memory/4516-136-0x0000000000000000-mapping.dmp
-
memory/4880-130-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/4880-131-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmpFilesize
10.8MB