aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
Size

1.4MB
MD5

69d5851d2ce6da5331d2f1d0214f45e0
SHA1

f3d6b929c5ef7bc9efea76a560a7feb2d6fb7a04
SHA256

aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457
SHA512

594c3a7d4a78e6acd9da4efbbf80da85f06e6ab54edcef8019087769a8e337ecf41e844dbc902992f1bc44e4e920056769abe478701fb8acbc4fe276651c2b63
SSDEEP

24576:s2O/Gl/4zU+psJZBYd3rhlIfJybHbRSln/b8q1+57gh8/pIHtn:4gNmd3rhX7RA/d18W8/p8x

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
984	mvs.exe
1688	mvs.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/644-87-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-91-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-96-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-99-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-105-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-107-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-109-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/644-108-0x0000000001610000-0x000000000171E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
984	mvs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mvs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateyjty = "C:\\Users\\Admin\\AppData\\Roaming\\njc\\mvs.exe C:\\Users\\Admin\\AppData\\Roaming\\njc\\kqv-ssd"	mvs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 1992	1688	mvs.exe	33
PID 1688 set thread context of 2004	1688	mvs.exe	34
PID 1992 set thread context of 644	1992	RegSvcs.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
984	mvs.exe
644	RegSvcs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	RegSvcs.exe
644	RegSvcs.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 2028 wrote to memory of 984	2028	aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe	27
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 984 wrote to memory of 1688	984	mvs.exe	28
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 2036	1688	mvs.exe	31
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 1992	1688	mvs.exe	33
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1688 wrote to memory of 2004	1688	mvs.exe	34
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35
PID 1992 wrote to memory of 644	1992	RegSvcs.exe	35

C:\Users\Admin\AppData\Local\Temp\aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe
"C:\Users\Admin\AppData\Local\Temp\aaf4df4e8f98817f05819e0d80ba2c52225624fe8af23be6b88563f0d55b6457.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\njc\mvs.exe
  "C:\Users\Admin\AppData\Roaming\njc\mvs.exe" kqv-ssd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Roaming\njc\mvs.exe
    C:\Users\Admin\AppData\Roaming\njc\mvs.exe C:\Users\Admin\AppData\Roaming\njc\MAQZZ
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\J4v4upd4t352017s.exe
      4⤵
      PID:2036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo

Filesize
3KB

MD5
5da5f797e19da65017db699019c7c4e6

SHA1
61e6ac756c58e361325a9d1ecc306cfd70a7e477

SHA256
f7dbb6b03e18c8ea542f56b689540561a56438083ba93a0dfaf13a5217ce432c

SHA512
570f47fe0028ba1b53b764beb7716a1596d7a7085c5b232ae3ec4c0bfa535ca0c9e4372b5254aeefd11ed9b73dc0f8919835e3c4ade9b0662ed942171cda930b

Download Submit
C:\Users\Admin\AppData\Roaming\njc\MAQZZ

Filesize
94KB

MD5
1e6a975c487fb5f2cb1c2f1ddc185c7c

SHA1
3108c094fb3649a30a59e786ce3196e976550b1a

SHA256
a251ac17bd759e6a58aea617efeacb32b6f2882f93c38e437e422b6e44524835

SHA512
b9fc50823337d0421fbc373012b8173ecac5713c5250fb11f7d8f3cceb38fb9e0bebcd140b6f64b26a680338e720ee4d05d1379f0d3d089c99b7bb78ae814cf2

Download Submit
C:\Users\Admin\AppData\Roaming\njc\dbg.bmp

Filesize
1.0MB

MD5
f9061a74cc96a7ce0d8aaa9cb51a3aa4

SHA1
795a6a4f6ce95c83dcbefdf92d3f886c4ca2c7b0

SHA256
8578ece6182608014eff366fab2965d62a86b0af029ffbe747997b8c3d648ea9

SHA512
ee483cc29e931e1454434f40fc055af12fae664bdc68fb69e1e368da9d73f8f5bf91ffffd08346cc48b2a43a6d3b3748ae0aa3681acb84ba0cb22c41fc5c8d13

Download Submit
C:\Users\Admin\AppData\Roaming\njc\kqv-ssd

Filesize
396KB

MD5
c4d08f3e58626037c82a0491396d1f97

SHA1
81493813273eb8d685dacbc89bd7537eed126d38

SHA256
32ec61ff5b2e0843cf74ce9aa9ef0ab135517f892c6f6d883f0efe803d1bcaec

SHA512
240adc0d38b053676a94f7e91f87274f4c846ecb94fa13663ab46b23af465a758ba0ad838c6695782e600166395ce7cea366d8335d8a2ee18894179e330dc917

Download Submit
C:\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\njc\mvs.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/644-114-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/644-86-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-111-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/644-113-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/644-96-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-91-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-108-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-109-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-107-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-105-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-99-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/644-87-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1992-80-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-103-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-83-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-82-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-78-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-76-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-74-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/1992-72-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download