21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-06-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe
Size

218KB
MD5

4ced579c892ddde3858eaaca641759bb
SHA1

655346c704eb41422328998fab56691f352dec4d
SHA256

21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64
SHA512

611ef0f7ba245d9338ffa1e2ed2e5ac09b610ee0c8d4dea31b64281dc144a67240635e9cdeb493332f9468715f49a4e10e362fabf5a80cb6c65bd16078b4e7da

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	4668	WScript.exe
5	4668	WScript.exe
7	4668	WScript.exe
9	4668	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\svscrypte.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\svscrypte.vbs"	reg.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4528	sc.exe
4496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1156	reg.exe
3136	reg.exe
4140	reg.exe
3088	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2408	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	81
PID 1388 wrote to memory of 2408	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	81
PID 1388 wrote to memory of 2408	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	81
PID 2408 wrote to memory of 1156	2408	cmd.exe	84
PID 2408 wrote to memory of 1156	2408	cmd.exe	84
PID 2408 wrote to memory of 1156	2408	cmd.exe	84
PID 2408 wrote to memory of 3136	2408	cmd.exe	85
PID 2408 wrote to memory of 3136	2408	cmd.exe	85
PID 2408 wrote to memory of 3136	2408	cmd.exe	85
PID 2408 wrote to memory of 4140	2408	cmd.exe	86
PID 2408 wrote to memory of 4140	2408	cmd.exe	86
PID 2408 wrote to memory of 4140	2408	cmd.exe	86
PID 2408 wrote to memory of 3088	2408	cmd.exe	87
PID 2408 wrote to memory of 3088	2408	cmd.exe	87
PID 2408 wrote to memory of 3088	2408	cmd.exe	87
PID 2408 wrote to memory of 1184	2408	cmd.exe	88
PID 2408 wrote to memory of 1184	2408	cmd.exe	88
PID 2408 wrote to memory of 1184	2408	cmd.exe	88
PID 2408 wrote to memory of 4528	2408	cmd.exe	89
PID 2408 wrote to memory of 4528	2408	cmd.exe	89
PID 2408 wrote to memory of 4528	2408	cmd.exe	89
PID 2408 wrote to memory of 4496	2408	cmd.exe	90
PID 2408 wrote to memory of 4496	2408	cmd.exe	90
PID 2408 wrote to memory of 4496	2408	cmd.exe	90
PID 2408 wrote to memory of 4488	2408	cmd.exe	91
PID 2408 wrote to memory of 4488	2408	cmd.exe	91
PID 2408 wrote to memory of 4488	2408	cmd.exe	91
PID 4488 wrote to memory of 4520	4488	net.exe	92
PID 4488 wrote to memory of 4520	4488	net.exe	92
PID 4488 wrote to memory of 4520	4488	net.exe	92
PID 1388 wrote to memory of 4668	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	93
PID 1388 wrote to memory of 4668	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	93
PID 1388 wrote to memory of 4668	1388	21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe	93

C:\Users\Admin\AppData\Local\Temp\21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe
"C:\Users\Admin\AppData\Local\Temp\21e82b438e9372b136719ebb26d2c8024e2e80d866b144ed0d509a7c9db67a64.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Modifies registry key
    PID:4140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Modifies registry key
    PID:3088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:4528
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= Auto
    3⤵
    - Launches sc.exe
    PID:4496
- - C:\Windows\SysWOW64\net.exe
    net stop srservice
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      PID:4520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.bat

Filesize
1KB

MD5
25b68c107acc1a507d81e0ffc53a60c5

SHA1
79cf6f1a2e0175dc2a84f55c02b03958dd2ba074

SHA256
51cde711442e057adf08e60554e4e1db99dae431216f772e61a3fc544d9ed2fd

SHA512
d312295b41cc0fb53f9281c8afea49fa9eb9e2c7bc1075a679626cf6e343b6d306523a2a1d8473b7e89601aea1faf5ba5ca035cacd4ae7310044c4fa916610ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.vbs

Filesize
31KB

MD5
56f6087b9e1f7b00737d9a2ce88f2a30

SHA1
1c5d05fa5e63abfa54161909eff2b44d6ba0f87b

SHA256
dafa1695d053b53f4a74b34fde6441094c8775d61d67a2b72eb7267685846343

SHA512
90af78fbe2822cc17077d4fd9c8a6be509db33801a613dd0b56a07b182073e7edf28c692a86258bf59dd1d979e6d930c68784bd47e47068c95ac1978029e1730

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads