8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

Analysis

max time kernel
142s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
Size

207KB
MD5

69fce06e2bcd6be56fa9456abb53c450
SHA1

6cc1d500439af463b6035332824cd8cea15e7176
SHA256

8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388
SHA512

faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256
SSDEEP

6144:Jz+92mhAMJ/cPl3iwESGwupSPWEteMdR3KPyGmp9k0FJ:JK2mhAMJ/cPl+SGREWEyyDNJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1716	DJVLFXHX.exe
1296	scvhost.exe
1204	DJVLFXHX.exe
976	scvhost.exe

Loads dropped DLL 12 IoCs

pid	Process
1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1296	scvhost.exe
1296	scvhost.exe
1296	scvhost.exe
1296	scvhost.exe
1296	scvhost.exe
1204	DJVLFXHX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe"	scvhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1584	1716	DJVLFXHX.exe	28
PID 1204 set thread context of 976	1204	DJVLFXHX.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1716	DJVLFXHX.exe
1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
1204	DJVLFXHX.exe
976	scvhost.exe
976	scvhost.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1768 wrote to memory of 1716	1768	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	27
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1716 wrote to memory of 1584	1716	DJVLFXHX.exe	28
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1584 wrote to memory of 1296	1584	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	29
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1296 wrote to memory of 1204	1296	scvhost.exe	30
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31
PID 1204 wrote to memory of 976	1204	DJVLFXHX.exe	31

C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
"C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe
  "C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
    "C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Roaming\scvhost.exe
      C:\Users\Admin\AppData\Roaming\scvhost.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Users\Admin\AppData\Roaming\scvhost.exe
        
        "C:\Users\Admin\AppData\Roaming\scvhost.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\3ts2gu

Filesize
88KB

MD5
e57b77403b9bc1c93f2c01723bfe9f98

SHA1
d4c11b86261af98082f294bafc3860c4d3512b43

SHA256
cbdb76d1dd22f42fcc33273914c170535896b10787d77ff6445e4d539121d5c4

SHA512
76f86f58969897087bdc3b30700e0a9c5774b0e919e79f9cbe19a13fd081f65a01ed956ec271d21e51a11875e994bfa0ec95a1e0773ec898ac57ed0da59fbf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
memory/976-111-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1204-106-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1204-96-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1584-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1584-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1716-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download