0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
Size

212KB
MD5

0cdd1e423313376c9bf60e364716bfb0
SHA1

abf926def7f9d2bd6586c42f6110a06410b56dac
SHA256

0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7
SHA512

8575ab627212634f017ac6508f38e24a3ba8079e97c0f76e0b5675eba9c6947f2828228d26f5a9214be4e92be9ed2dadb9ecb51704b4827f14c9b3469bc7ffdf
SSDEEP

6144:dO2OG4GkabKnvmb7/D26s7olvW47imsG7CgHE9roWkw8e5SG:dOvP5abKnvmb7/D26l7jsGegHECRPG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sccow.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe

Executes dropped EXE 1 IoCs

pid	Process
1696	sccow.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /F"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /w"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /V"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /s"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /u"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /y"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /M"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /A"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /Y"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /o"	sccow.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /Q"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /T"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /Z"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /e"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /v"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /R"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /B"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /N"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /K"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /b"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /t"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /q"	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /l"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /x"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /r"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /E"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /J"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /G"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /g"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /q"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /S"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /n"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /X"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /k"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /H"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /z"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /d"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /I"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /C"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /i"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /U"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /D"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /a"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /P"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /h"	sccow.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /p"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /j"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /f"	sccow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sccow = "C:\\Users\\Admin\\sccow.exe /L"	sccow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe
1696	sccow.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
1696	sccow.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1696	1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe	27
PID 1808 wrote to memory of 1696	1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe	27
PID 1808 wrote to memory of 1696	1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe	27
PID 1808 wrote to memory of 1696	1808	0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe	27

C:\Users\Admin\AppData\Local\Temp\0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
"C:\Users\Admin\AppData\Local\Temp\0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\sccow.exe
  "C:\Users\Admin\sccow.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sccow.exe

Filesize
212KB

MD5
13cc3289e2597f5f5d79db6b87bc2471

SHA1
31333fa96d356744724130d62040493a3a4c87f8

SHA256
a5c33f02dd50810e38a65094f471a765c312ef0cf0fa77a04ceaeff79b6134d2

SHA512
1c0e8ff6c2617a084f810fd4caac72e2057e76306db52f253818ea7419a8f8d92f17bcd734747ee37c1e3509c56bf59894b35abf308307d86c045883b7fdbf1e

Download Submit
C:\Users\Admin\sccow.exe

Filesize
212KB

MD5
13cc3289e2597f5f5d79db6b87bc2471

SHA1
31333fa96d356744724130d62040493a3a4c87f8

SHA256
a5c33f02dd50810e38a65094f471a765c312ef0cf0fa77a04ceaeff79b6134d2

SHA512
1c0e8ff6c2617a084f810fd4caac72e2057e76306db52f253818ea7419a8f8d92f17bcd734747ee37c1e3509c56bf59894b35abf308307d86c045883b7fdbf1e

Download Submit
\Users\Admin\sccow.exe

Filesize
212KB

MD5
13cc3289e2597f5f5d79db6b87bc2471

SHA1
31333fa96d356744724130d62040493a3a4c87f8

SHA256
a5c33f02dd50810e38a65094f471a765c312ef0cf0fa77a04ceaeff79b6134d2

SHA512
1c0e8ff6c2617a084f810fd4caac72e2057e76306db52f253818ea7419a8f8d92f17bcd734747ee37c1e3509c56bf59894b35abf308307d86c045883b7fdbf1e

Download Submit
\Users\Admin\sccow.exe

Filesize
212KB

MD5
13cc3289e2597f5f5d79db6b87bc2471

SHA1
31333fa96d356744724130d62040493a3a4c87f8

SHA256
a5c33f02dd50810e38a65094f471a765c312ef0cf0fa77a04ceaeff79b6134d2

SHA512
1c0e8ff6c2617a084f810fd4caac72e2057e76306db52f253818ea7419a8f8d92f17bcd734747ee37c1e3509c56bf59894b35abf308307d86c045883b7fdbf1e

Download Submit
memory/1808-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download