edf36af2b6f1dba4d4e57f4ce2fbb67693cfb81bd823a9d306f802cf0ea6d084

Analysis

max time kernel
69s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

214KB
MD5

17b08e8e7e92a243d7dc68a2f27dfb73
SHA1

adc73d06e4cfaa2548914c0d44a63bcd26f219ad
SHA256

edf36af2b6f1dba4d4e57f4ce2fbb67693cfb81bd823a9d306f802cf0ea6d084
SHA512

b8a869695d2fcad6aab507815dde500759256af1d1f5df0cefe5a8ab5b1e07fb27481954cb18faa8f7c1e86f20d86332b45f04be5cf6eeaa814a2e758acc7bda
SSDEEP

3072:ctjLKxbA3zrIL701RCawZowcNlnBflHXFo+jIIH8/SkP8yDG:ctjWxbczG4XMoxnBLFIj/my6

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	3392	WScript.exe
12	3392	WScript.exe
14	3392	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Blocker.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\svscrypte.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) = "C:\\Users\\Admin\\AppData\\Roaming\\svscrypte.vbs"	reg.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4180	sc.exe
4056	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	Trojan-Ransom.Win32.Blocker.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1940	reg.exe
672	reg.exe
2400	reg.exe
2804	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3188	1724	Trojan-Ransom.Win32.Blocker.exe	82
PID 1724 wrote to memory of 3188	1724	Trojan-Ransom.Win32.Blocker.exe	82
PID 1724 wrote to memory of 3188	1724	Trojan-Ransom.Win32.Blocker.exe	82
PID 3188 wrote to memory of 1940	3188	cmd.exe	85
PID 3188 wrote to memory of 1940	3188	cmd.exe	85
PID 3188 wrote to memory of 1940	3188	cmd.exe	85
PID 3188 wrote to memory of 672	3188	cmd.exe	86
PID 3188 wrote to memory of 672	3188	cmd.exe	86
PID 3188 wrote to memory of 672	3188	cmd.exe	86
PID 3188 wrote to memory of 2400	3188	cmd.exe	87
PID 3188 wrote to memory of 2400	3188	cmd.exe	87
PID 3188 wrote to memory of 2400	3188	cmd.exe	87
PID 3188 wrote to memory of 2804	3188	cmd.exe	88
PID 3188 wrote to memory of 2804	3188	cmd.exe	88
PID 3188 wrote to memory of 2804	3188	cmd.exe	88
PID 3188 wrote to memory of 796	3188	cmd.exe	89
PID 3188 wrote to memory of 796	3188	cmd.exe	89
PID 3188 wrote to memory of 796	3188	cmd.exe	89
PID 3188 wrote to memory of 4180	3188	cmd.exe	90
PID 3188 wrote to memory of 4180	3188	cmd.exe	90
PID 3188 wrote to memory of 4180	3188	cmd.exe	90
PID 3188 wrote to memory of 4056	3188	cmd.exe	91
PID 3188 wrote to memory of 4056	3188	cmd.exe	91
PID 3188 wrote to memory of 4056	3188	cmd.exe	91
PID 3188 wrote to memory of 4552	3188	cmd.exe	92
PID 3188 wrote to memory of 4552	3188	cmd.exe	92
PID 3188 wrote to memory of 4552	3188	cmd.exe	92
PID 4552 wrote to memory of 3180	4552	net.exe	93
PID 4552 wrote to memory of 3180	4552	net.exe	93
PID 4552 wrote to memory of 3180	4552	net.exe	93
PID 1724 wrote to memory of 3392	1724	Trojan-Ransom.Win32.Blocker.exe	94
PID 1724 wrote to memory of 3392	1724	Trojan-Ransom.Win32.Blocker.exe	94
PID 1724 wrote to memory of 3392	1724	Trojan-Ransom.Win32.Blocker.exe	94

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1940
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Modifies registry key
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policiees\Explorer\Run /v Intel(R) /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svscrypte.vbs" /f
    3⤵
    - Modifies registry key
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:796
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= disabled
    3⤵
    - Launches sc.exe
    PID:4180
- - C:\Windows\SysWOW64\sc.exe
    sc config srservice start= Auto
    3⤵
    - Launches sc.exe
    PID:4056
- - C:\Windows\SysWOW64\net.exe
    net stop srservice
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      PID:3180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.bat

Filesize
1KB

MD5
25b68c107acc1a507d81e0ffc53a60c5

SHA1
79cf6f1a2e0175dc2a84f55c02b03958dd2ba074

SHA256
51cde711442e057adf08e60554e4e1db99dae431216f772e61a3fc544d9ed2fd

SHA512
d312295b41cc0fb53f9281c8afea49fa9eb9e2c7bc1075a679626cf6e343b6d306523a2a1d8473b7e89601aea1faf5ba5ca035cacd4ae7310044c4fa916610ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svscrypte.vbs

Filesize
31KB

MD5
56f6087b9e1f7b00737d9a2ce88f2a30

SHA1
1c5d05fa5e63abfa54161909eff2b44d6ba0f87b

SHA256
dafa1695d053b53f4a74b34fde6441094c8775d61d67a2b72eb7267685846343

SHA512
90af78fbe2822cc17077d4fd9c8a6be509db33801a613dd0b56a07b182073e7edf28c692a86258bf59dd1d979e6d930c68784bd47e47068c95ac1978029e1730

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads