1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe
Size

2.3MB
MD5

a01a8da429429d02b6ebbdc6260f2b33
SHA1

02d0f2ff2813d4abebf43ac0929026b477578a04
SHA256

1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6
SHA512

7dc8d3258fcaa16f867fd653a7bf63a42d0125c0121b7e2eacbf2df8d7cb5d22cf4783e46aaddcee30738b9cf630185cff1813b3cd7fb66cd13bf00a5e385484
SSDEEP

49152:pNaF7+Nh5F27BZ+02kt134vl7RiMHu2wa3YGID6r:

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2008	svchost..exe
1160	svchost.exe
1672	svchost..exe
1020	suchost..exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	svchost..exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe	svchost..exe

Loads dropped DLL 2 IoCs

pid	Process
2008	svchost..exe
1672	svchost..exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe
1020	suchost..exe
1020	suchost..exe
1672	svchost..exe
1672	svchost..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	svchost..exe
Token: SeDebugPrivilege	1020	suchost..exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2008	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	26
PID 1424 wrote to memory of 2008	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	26
PID 1424 wrote to memory of 2008	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	26
PID 1424 wrote to memory of 2008	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	26
PID 1424 wrote to memory of 1160	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	27
PID 1424 wrote to memory of 1160	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	27
PID 1424 wrote to memory of 1160	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	27
PID 1424 wrote to memory of 1160	1424	1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe	27
PID 1160 wrote to memory of 1976	1160	svchost.exe	29
PID 1160 wrote to memory of 1976	1160	svchost.exe	29
PID 1160 wrote to memory of 1976	1160	svchost.exe	29
PID 1160 wrote to memory of 1976	1160	svchost.exe	29
PID 1976 wrote to memory of 1804	1976	vbc.exe	30
PID 1976 wrote to memory of 1804	1976	vbc.exe	30
PID 1976 wrote to memory of 1804	1976	vbc.exe	30
PID 1976 wrote to memory of 1804	1976	vbc.exe	30
PID 2008 wrote to memory of 1672	2008	svchost..exe	32
PID 2008 wrote to memory of 1672	2008	svchost..exe	32
PID 2008 wrote to memory of 1672	2008	svchost..exe	32
PID 2008 wrote to memory of 1672	2008	svchost..exe	32
PID 1672 wrote to memory of 1020	1672	svchost..exe	33
PID 1672 wrote to memory of 1020	1672	svchost..exe	33
PID 1672 wrote to memory of 1020	1672	svchost..exe	33
PID 1672 wrote to memory of 1020	1672	svchost..exe	33

C:\Users\Admin\AppData\Local\Temp\1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe
"C:\Users\Admin\AppData\Local\Temp\1b551aae8e840b2f0ab92b72c7edca9250ac09c5fbc0746f28fb6dc030c13cb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\svchost..exe
  "C:\Users\Admin\AppData\Local\Temp\svchost..exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Users\Admin\Documents\suchost..exe
      "C:\Users\Admin\Documents\suchost..exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1020
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\quvx2cyq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9CE.tmp"
      4⤵
      PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3x7M6eR.resources

Filesize
837KB

MD5
0dd6ee68b5d1c95fe57f69fd71e62cf4

SHA1
9e28eac57f6e5e5a4390a1b84af4534c81ce6f09

SHA256
a5d54306c43a066d7779550e96d8a57687ee9911e97ca540cdca6af724d1e13a

SHA512
ed4cecd95cff9d6821d709628d88c1b860de8274e479803a0025dbefb5b710f9f27a9976a11c838a4f4a2351bd59e04f3ab5c2987e5fc1014b7a52a228cd73ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSNPSharp.dll

Filesize
832KB

MD5
6065f66bf5cc088e7344f13f5a63cfa4

SHA1
d23abadbe3a2fe5b102a2f889d30ae2a8da44baf

SHA256
cae1b97f3bb7e41d6f56d28b77bd36ce418f3b52503351e36d8486cfe1d509a4

SHA512
f2a555107e305975b2caa47726cfe9cf0aea3814380a7467e1eef9e89ef0d9ffbd4e36b70d6f839cdba8827aa4f7e61852c01e87f5f7c5840985217dc96acf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA9A.tmp

Filesize
1KB

MD5
738332e77baff98bb67933425f2f111e

SHA1
8562ce8ad31cf0afe454883a602325e678687157

SHA256
4d8a8c4509101a7c8409bd2cb257ecdc94a67d9eb40ebb4fb23f949785a327b2

SHA512
ec8bbb35541193587f021494abfc0b33283f0aeb08b7f70f1de8c24a2c48e3d203430dc4869edcd942e35e39fa5277c3424b3933368fe99eae58ada7a737cc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\quvx2cyq.0.vb

Filesize
106KB

MD5
357a7e67ebd4ca83e355590f9b6f12a8

SHA1
97db351c6abf4ee74a0c462e784fd2ef30f5fd73

SHA256
6f88e4810e2f8794a08956ef45765221eb2969c32e1f40707d3c2133b119c873

SHA512
3facc2cababb2cf329399dca589f7871621e7bca6b9fd012389d90b13eed35cfcf57e8a12347e9b4b5d7c2c2cd4a9ddffcb0f498b3e88f25e3aabd8f9bb3f9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\quvx2cyq.cmdline

Filesize
380B

MD5
c81b4719b815903e7ed0a544e814aa66

SHA1
f715882716ea96d9e0e44285dc467635995ff1a6

SHA256
5a6cd8c4abce1835ecd410a217e257f47643fe74f4d942afff8279565156102b

SHA512
13c30d26747506f94e09dece736cb9a8c92c197026ca14a1faaf5fcb180456abc6a3b3cba280f27f2a82f06728787d87f6b10b447b0929f0d79eaf3de20e5a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\quvx2cyq.exe

Filesize
916KB

MD5
bef9952f35f8c76fcf07c619cfe3132e

SHA1
9ef3568bf971b7864c9249e483d5ee6647b3685d

SHA256
24f2b234ec4f5f560633d7ed5bf46fbf83ae15fc616a453b520f925c336a82be

SHA512
a961f6aecc2048ae394d046ae78641779abe082166217626f9742654b63f411d96dfb073ba789fea358a5552d3e77099623456996d568b453db3e4d84df81a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.2MB

MD5
835d009faa18e1f3a3b40ab09b26b615

SHA1
8ab0e5842ea99cd5204cdf277f0720fc6dd73c5b

SHA256
4e01af55f2cb3fd6e792e040a697624ee55261a1ca81859d1e3d0e1284834160

SHA512
941a8a687d2e9d6c07e99d7d3c2667dc5dda1ca49bbe8d288fa4dc1595cc5bd78ccb51a4e1c20b8b7e6dc0e1ab42d7c79fe883a44b3be1c0ed7bc030a029d651

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.2MB

MD5
835d009faa18e1f3a3b40ab09b26b615

SHA1
8ab0e5842ea99cd5204cdf277f0720fc6dd73c5b

SHA256
4e01af55f2cb3fd6e792e040a697624ee55261a1ca81859d1e3d0e1284834160

SHA512
941a8a687d2e9d6c07e99d7d3c2667dc5dda1ca49bbe8d288fa4dc1595cc5bd78ccb51a4e1c20b8b7e6dc0e1ab42d7c79fe883a44b3be1c0ed7bc030a029d651

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB9CE.tmp

Filesize
652B

MD5
9e15982fbf16b7683855dc9d766ce5f3

SHA1
9737ff90bdc7ca8b5e37a0bcf05cabcecd96a735

SHA256
e06630225b1c9fc7a59e1d69bfa055d203e87a70d2c7998d6e963129875e3e96

SHA512
bfd64f906bddf532540f9b810054b985afa22ab063e0dda7d91723bc8d7dd62d4865fdb6e407d16aba11c3d490504b4b0214f2b81891186a237ca2f71410defd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
C:\Users\Admin\Documents\suchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
\Users\Admin\Documents\suchost..exe

Filesize
103KB

MD5
71ef67499b2c1ce1a8d060b46107921c

SHA1
0f1aef9ce291a4fb389cdcbb809b66c7f7598ba7

SHA256
76c45b7db4a17612c6c3f82b52cf49ead8cc425f4518cf141449b64fa84688d9

SHA512
d0d2aaf22e4a6cd4dacfb53cfaaf2927de2a67e2a56be461b82fe02583a5f36a761f7a51805cb62fc3100e7980136eaf7ccbeaaa4a15427adf97625771d870f8

Download Submit
memory/1020-92-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1020-88-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1020-95-0x0000000000DD5000-0x0000000000DE6000-memory.dmp

Filesize
68KB

Download
memory/1020-91-0x0000000000DD5000-0x0000000000DE6000-memory.dmp

Filesize
68KB

Download
memory/1160-74-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-61-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1160-63-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1424-54-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

Filesize
10.1MB

Download
memory/1672-94-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/1672-93-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-89-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-90-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/2008-75-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-82-0x0000000000C35000-0x0000000000C46000-memory.dmp

Filesize
68KB

Download
memory/2008-81-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-64-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download