8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

General

Target

8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
Size

207KB
MD5

69fce06e2bcd6be56fa9456abb53c450
SHA1

6cc1d500439af463b6035332824cd8cea15e7176
SHA256

8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388
SHA512

faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256
SSDEEP

6144:Jz+92mhAMJ/cPl3iwESGwupSPWEteMdR3KPyGmp9k0FJ:JK2mhAMJ/cPl+SGREWEyyDNJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
528	DJVLFXHX.exe
5024	scvhost.exe
616	DJVLFXHX.exe
4348	scvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	scvhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe"	scvhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 528 set thread context of 4496	528	DJVLFXHX.exe	87
PID 616 set thread context of 4348	616	DJVLFXHX.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
528	DJVLFXHX.exe
4496	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
616	DJVLFXHX.exe
4348	scvhost.exe
4348	scvhost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 528	2020	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	85
PID 2020 wrote to memory of 528	2020	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	85
PID 2020 wrote to memory of 528	2020	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	85
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 528 wrote to memory of 4496	528	DJVLFXHX.exe	87
PID 4496 wrote to memory of 5024	4496	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	88
PID 4496 wrote to memory of 5024	4496	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	88
PID 4496 wrote to memory of 5024	4496	8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe	88
PID 5024 wrote to memory of 616	5024	scvhost.exe	89
PID 5024 wrote to memory of 616	5024	scvhost.exe	89
PID 5024 wrote to memory of 616	5024	scvhost.exe	89
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90
PID 616 wrote to memory of 4348	616	DJVLFXHX.exe	90

C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
"C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe
  "C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe
    "C:\Users\Admin\AppData\Local\Temp\8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Roaming\scvhost.exe
      C:\Users\Admin\AppData\Roaming\scvhost.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:616
      - C:\Users\Admin\AppData\Roaming\scvhost.exe
        
        "C:\Users\Admin\AppData\Roaming\scvhost.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\3ts2gu

Filesize
88KB

MD5
e57b77403b9bc1c93f2c01723bfe9f98

SHA1
d4c11b86261af98082f294bafc3860c4d3512b43

SHA256
cbdb76d1dd22f42fcc33273914c170535896b10787d77ff6445e4d539121d5c4

SHA512
76f86f58969897087bdc3b30700e0a9c5774b0e919e79f9cbe19a13fd081f65a01ed956ec271d21e51a11875e994bfa0ec95a1e0773ec898ac57ed0da59fbf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQUZSNVW\DJVLFXHX.exe

Filesize
20KB

MD5
76047ba6eda054cb5b0056d83d07616f

SHA1
5d378ad9ce65db173f869603946ee1019c380f46

SHA256
e0d8926db00bb50377bb908555c4f72efcc120b02d6361fbc4caeb9ef8ed0bf3

SHA512
ded07141118e2d2181cd8f20f5484966bc57e1098c584284606f40a651589600d9a2cc16ca08daa1ebd72f4af9124a612c63137136574b53dcccbc4052e54a34

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
207KB

MD5
69fce06e2bcd6be56fa9456abb53c450

SHA1
6cc1d500439af463b6035332824cd8cea15e7176

SHA256
8405b256217fd50982c33cc6be8b239c1f74b50f5b575f40082a8fac3c3a6388

SHA512
faac94715e63d162e9e567e23cc98030264e86723667f3a7d0122e920503e82e6e9af79f40cd04202cc566396c4cd5379edaa946a1fb5a83ea13f0a3e5953256

Download Submit
memory/528-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/528-132-0x0000000000000000-mapping.dmp

Download
memory/528-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/616-155-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/616-159-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/616-150-0x0000000000000000-mapping.dmp

Download
memory/4348-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4348-156-0x0000000000000000-mapping.dmp

Download
memory/4496-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-139-0x0000000000000000-mapping.dmp

Download
memory/4496-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4496-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5024-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing