27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa

Analysis

max time kernel
151s
max time network
85s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
Size

112KB
MD5

80677edda94f587779997e7d3b47365e
SHA1

a774b737c1981d36171464371fd43703b3661392
SHA256

27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa
SHA512

512ba6e18eff909b93729c933ccb6860290b27f7a4b29b3024837caa6cee4bbe0531b78d31699d0c6b236882fe0d4988fc8bd471eb26396f788faccc798858c6
SSDEEP

1536:+T4q/5kwYvNcWNl4MfCCpYwlgNPQ6fF+K0g1yBubzFkh34SGDLHI:HlGlog1yBub5DfI

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1032	vschost.exe
684	vschost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1656-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-65-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-66-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-69-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1656-111-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/684-114-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/684-118-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vschost = "C:\\Users\\Admin\\AppData\\Roaming\\vschost\\vschost.exe"	reg.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	InstallUtil.exe
File created	C:\autorun.inf	InstallUtil.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1032 set thread context of 684	1032	vschost.exe	33
PID 1032 set thread context of 1932	1032	vschost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe
Token: SeDebugPrivilege	684	vschost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
1032	vschost.exe
684	vschost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1008 wrote to memory of 1656	1008	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	28
PID 1656 wrote to memory of 1596	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	29
PID 1656 wrote to memory of 1596	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	29
PID 1656 wrote to memory of 1596	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	29
PID 1656 wrote to memory of 1596	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	29
PID 1596 wrote to memory of 912	1596	cmd.exe	31
PID 1596 wrote to memory of 912	1596	cmd.exe	31
PID 1596 wrote to memory of 912	1596	cmd.exe	31
PID 1596 wrote to memory of 912	1596	cmd.exe	31
PID 1656 wrote to memory of 1032	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	32
PID 1656 wrote to memory of 1032	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	32
PID 1656 wrote to memory of 1032	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	32
PID 1656 wrote to memory of 1032	1656	27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe	32
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 684	1032	vschost.exe	33
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34
PID 1032 wrote to memory of 1932	1032	vschost.exe	34

C:\Users\Admin\AppData\Local\Temp\27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
"C:\Users\Admin\AppData\Local\Temp\27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe
  "C:\Users\Admin\AppData\Local\Temp\27e8196401b04c0d1845152be0877094e57397f509bed8046b36e1b1029820aa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ALBVT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "vschost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vschost\vschost.exe" /f
      4⤵
      Adds Run key to start application
      PID:912
- - C:\Users\Admin\AppData\Roaming\vschost\vschost.exe
    "C:\Users\Admin\AppData\Roaming\vschost\vschost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Roaming\vschost\vschost.exe
      "C:\Users\Admin\AppData\Roaming\vschost\vschost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
      "C:\Windows\\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
      4⤵
      Drops autorun.inf file
      PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALBVT.bat

Filesize
144B

MD5
70ba506fca66d0bb4aadeb32cc20baa1

SHA1
adf1deced9481c48f5ec3c4bcdd7c92ab6b3477a

SHA256
85307f37bc656a402cbd1bd41927754b4b33190de5c04ad07a4e915f6046e9dc

SHA512
da5a08fb9b78511c7fc73985ba31a11df389b171b57ba878ec33caf156d720487904be869d5baadea2a757eebf052592904ecb99897cf738c91a4e1d377f940f

Download Submit
C:\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
C:\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
C:\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
\Users\Admin\AppData\Roaming\vschost\vschost.exe

Filesize
112KB

MD5
eda4f5cd770ef33af5188f7a82f118de

SHA1
a31915e5298b6f101206b5abce61102abc0a48f9

SHA256
9f270d8d0579d5040eeacfdadc041404a3826d6bf6c1483a1271336a04f8f33a

SHA512
c8ec697f6911c8bae2c9e2f7dc3f5060f3391f4d2fa4d473ede4c1a368291e1c312002f11a48c99f9c95c6a62728687dacea8cafa600e5d67b32e971cee90844

Download Submit
memory/684-91-0x00000000004085D0-mapping.dmp

Download
memory/684-114-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/684-118-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/912-73-0x0000000000000000-mapping.dmp

Download
memory/1008-56-0x00000000002ED000-0x00000000002F3000-memory.dmp

Filesize
24KB

Download
memory/1032-83-0x000000000062C000-0x0000000000632000-memory.dmp

Filesize
24KB

Download
memory/1032-93-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1032-95-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1032-99-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1032-79-0x0000000000000000-mapping.dmp

Download
memory/1032-97-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1596-71-0x0000000000000000-mapping.dmp

Download
memory/1656-111-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-63-0x00000000004085D0-mapping.dmp

Download
memory/1656-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-70-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1656-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-105-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-103-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-102-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-110-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-113-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-106-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-108-0x00000000004058BE-mapping.dmp

Download
memory/1932-117-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/1932-107-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-119-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download
memory/1932-120-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads