647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe
Size

1.2MB
MD5

1bea501f52f6075bb7ca051ad4454e8c
SHA1

73f2f06dfa4a91bda577df01ac6b55189126f9ed
SHA256

647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c
SHA512

130ad7fd52c0f72fbb4bc13387bcc2d36d4dede4f2000bf2bba4d5a1f97f4e0ff71b18541179264be5e0502a2584444766c1e564fb90ba2623ed4875c9e78dde

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

svs.exesvs.exe

pid process

1836 svs.exe
1048 svs.exe

Drops startup file 2 IoCs

Processes:

svs.exesvs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	svs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	svs.exe

Loads dropped DLL 2 IoCs

Processes:

WScript.exeWScript.exe

pid process

928 WScript.exe
1084 WScript.exe

pid	process
928	WScript.exe
1084	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svs.exesvs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\svs.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\DXV_FC~1"	svs.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\14712696 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\start.vbs"	svs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\svs.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\DXV_FC~1"	svs.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\14712696 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\start.vbs"	svs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

svs.exesvs.exe

pid	process
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1836	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe
1048	svs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exeWScript.exesvs.exeWScript.exesvs.exe

description	pid	process	target process
PID 1808 wrote to memory of 928	1808	647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe	WScript.exe
PID 1808 wrote to memory of 928	1808	647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe	WScript.exe
PID 1808 wrote to memory of 928	1808	647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe	WScript.exe
PID 1808 wrote to memory of 928	1808	647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe	WScript.exe
PID 928 wrote to memory of 1836	928	WScript.exe	svs.exe
PID 928 wrote to memory of 1836	928	WScript.exe	svs.exe
PID 928 wrote to memory of 1836	928	WScript.exe	svs.exe
PID 928 wrote to memory of 1836	928	WScript.exe	svs.exe
PID 1836 wrote to memory of 1084	1836	svs.exe	WScript.exe
PID 1836 wrote to memory of 1084	1836	svs.exe	WScript.exe
PID 1836 wrote to memory of 1084	1836	svs.exe	WScript.exe
PID 1836 wrote to memory of 1084	1836	svs.exe	WScript.exe
PID 1084 wrote to memory of 1048	1084	WScript.exe	svs.exe
PID 1084 wrote to memory of 1048	1084	WScript.exe	svs.exe
PID 1084 wrote to memory of 1048	1084	WScript.exe	svs.exe
PID 1084 wrote to memory of 1048	1084	WScript.exe	svs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe
PID 1048 wrote to memory of 520	1048	svs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe
"C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14712696\pgq.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe
"C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe" dxv=fcp
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14712696\run.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe
"C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe" dxv=fcp
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
6⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14712696\dxv=fcp

Filesize
231.6MB

MD5
a0b360650307f2420a717b5223750b35

SHA1
234d738a69eeb2be318cf0d3cf783f49f886baf3

SHA256
9e0d70431e0fa822181aee13e1151a448fe44e0b428cb26e30c42f179795252b

SHA512
0fc11dd30f87ba84fe3b35726db801b10e1a695372efedda5e765fdafc6e8eab911d409a7e9db838dcb6b377a4d6994e1e0d8c43029c79912fdaa3754466351f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\pgq.vbs

Filesize
15KB

MD5
951531e0d8e5c2334809b69a14cb8982

SHA1
cccc13d65996eb191b53de2ac83f13b9e74544f3

SHA256
d43f2e9c8875597cd359ae6ea8e9ef070df705781bc94ba9030193ebd63e37b9

SHA512
b3fe88f41a6e71a1b79bf26d13651b20324dc98a1dca59cdaad5afd4937876d11000d8b44b909efe67ce60830c402a3de8c856093662addd63d88f87644ba97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\run.vbs

Filesize
83B

MD5
196471cb6c484e0060622aea19bdfd67

SHA1
691a6923ff304884d575e339a48055b40df7b78f

SHA256
d64341ed740ccae2518d2d67ea4a928bffe7930f7c3c154d1ef8a6516df689aa

SHA512
04f6ec14c363548f136892bc44271ab1a98ea8a5c22ca750171f7a42663de341c7c9a41158b0c68cd59f1ec75466f7265634cac17b19d0128b653869d9a004e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\srp.pdf

Filesize
333KB

MD5
117b51a098b81a23f0e91b0ef98661a2

SHA1
36c10109497186038fa0412d14934b67a05fc871

SHA256
a03a929be89bbb86680468e5a2f4854edc445868d7bf48b0d5c2367507c8e2c3

SHA512
f7f30695d542a5cd70ddd50b99ca99fc85a25e6d4ca675d9dc8b4f4a67b0454047c22f372cd0875c01b79b651fc1c847909111a1ac8cfe80fcbb73068f2f3e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\start.vbs

Filesize
206B

MD5
2c308ce8a95d2d3cf304f96fac85d47c

SHA1
e910c0b3320c39fe504161222a5ec63b2021f9be

SHA256
cb709f9019907a525e568f2e1e2b5ceaac77cf44a15c516daabebefcdf6824d4

SHA512
b3a7a2d19cb0de036e61b4b453da61eaad3e8c2bed391c73ddafaf72b14458e58576cbc4c7daa5f2e487c439b3af0ed20a638d3a4f677557efc52094c02b30df

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Filesize
1KB

MD5
c381b4ee515aaf3a86e8006af652c779

SHA1
38bb9c65033baedb90f493c3ae8a3c4ad1abe1f7

SHA256
9c1932bfbdd9c6e6b83691788c45352d6b6e09e9a17dd2d3f0b90b75594a9758

SHA512
53257f5495cd80a00991e283adc7192e5071b1baded3aaa5bddc8bbffc9be1a6073f452f57ee945787f158874e5cb6af09b82200838550e91ede76a208bcc453

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\14712696\svs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Local\Temp\14712696\svs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/928-55-0x0000000000000000-mapping.dmp

Download
memory/1048-69-0x0000000000000000-mapping.dmp

Download
memory/1084-65-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1836-60-0x0000000000000000-mapping.dmp

Download