Analysis
-
max time kernel
77s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe
-
Size
577KB
-
MD5
534fa406e246d764822c16114c823b70
-
SHA1
4eafc3d0bc89d62b7cf05685f70c39ac4cf0cc7f
-
SHA256
eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125
-
SHA512
6c4dec10b0b126e907e1d7946ea0ec0d2aab4f1e2d59b45512e8c0ee61429f1bca77f5c6490c8b156538aed24d901991eed484efe5b54aa894664e9c2216be9a
-
SSDEEP
12288:26SKqT31T6WpJY6V765jKqostkm3Nbn1lcO/+zbt8v3VdPlcOq:DxqT31T6WE6I5jKqosOm9bn1N/nVFNq
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SSVICHOSST.exe" eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\SSVICHOSST.exe" eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\google = "http://advgoogle.blogspot.com" eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\e: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\f: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\k: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\q: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\t: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\u: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\a: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\g: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\j: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\m: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\p: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\w: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\z: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\h: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\i: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\n: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\v: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\y: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\l: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\o: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\r: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\s: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened (read-only) \??\x: eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1680-55-0x0000000000400000-0x00000000004A4000-memory.dmp autoit_exe behavioral1/memory/1680-56-0x0000000000400000-0x00000000004A4000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\SSVICHOSST.exe eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened for modification C:\Windows\SysWOW64\SSVICHOSST.exe eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened for modification C:\Windows\SysWOW64\autorun.ini eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\SSVICHOSST.exe eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe File opened for modification C:\Windows\SSVICHOSST.exe eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe 1680 eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe"C:\Users\Admin\AppData\Local\Temp\eddf53dedda21e541b1ca202194bc9a7a515044e10a46063f589ca8e40287125.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1680