f47fae36937dabb1c97098581deb76302b10f5abdf77971626813dd158af341c

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pago.exe
Size

1.3MB
MD5

ce7d806c0c013d7a322071cb5e9d3ab7
SHA1

becd8d9257efa5df71f3a49edb5ea07da0511755
SHA256

f47fae36937dabb1c97098581deb76302b10f5abdf77971626813dd158af341c
SHA512

c84c4c99cf9b986c06208ea6a283f5de67dd38f65d1344b9b7d03ce1ea19f03aa67c8467e0e454febc7532b4e82ccf908c73c740f2f54eb32cf13cddf14544ec
SSDEEP

24576:rGHCm8uPdJAg804Aa24gOYtHzl0GXtiHpH1uYIq3U/l5MHTU:quWpZt51oJklCzU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

xvxfd.sfx.exexvxfd.exexvxfd.exe

pid process

1112 xvxfd.sfx.exe
2020 xvxfd.exe
1500 xvxfd.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exexvxfd.sfx.exe

pid process

680 cmd.exe
1112 xvxfd.sfx.exe
1112 xvxfd.sfx.exe
1112 xvxfd.sfx.exe
1112 xvxfd.sfx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xvxfd.exe

description pid process target process

PID 2020 set thread context of 1500 2020 xvxfd.exe xvxfd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xvxfd.exe

description pid process

Token: SeDebugPrivilege 2020 xvxfd.exe

pid	process
1112	xvxfd.sfx.exe
2020	xvxfd.exe
1500	xvxfd.exe

pid	process
680	cmd.exe
1112	xvxfd.sfx.exe
1112	xvxfd.sfx.exe
1112	xvxfd.sfx.exe
1112	xvxfd.sfx.exe

description	pid	process	target process
PID 2020 set thread context of 1500	2020	xvxfd.exe	xvxfd.exe

description	pid	process
Token: SeDebugPrivilege	2020	xvxfd.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Pago.execmd.exexvxfd.sfx.exexvxfd.exe

description	pid	process	target process
PID 2012 wrote to memory of 680	2012	Pago.exe	cmd.exe
PID 2012 wrote to memory of 680	2012	Pago.exe	cmd.exe
PID 2012 wrote to memory of 680	2012	Pago.exe	cmd.exe
PID 2012 wrote to memory of 680	2012	Pago.exe	cmd.exe
PID 680 wrote to memory of 1112	680	cmd.exe	xvxfd.sfx.exe
PID 680 wrote to memory of 1112	680	cmd.exe	xvxfd.sfx.exe
PID 680 wrote to memory of 1112	680	cmd.exe	xvxfd.sfx.exe
PID 680 wrote to memory of 1112	680	cmd.exe	xvxfd.sfx.exe
PID 1112 wrote to memory of 2020	1112	xvxfd.sfx.exe	xvxfd.exe
PID 1112 wrote to memory of 2020	1112	xvxfd.sfx.exe	xvxfd.exe
PID 1112 wrote to memory of 2020	1112	xvxfd.sfx.exe	xvxfd.exe
PID 1112 wrote to memory of 2020	1112	xvxfd.sfx.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe
PID 2020 wrote to memory of 1500	2020	xvxfd.exe	xvxfd.exe

C:\Users\Admin\AppData\Local\Temp\Pago.exe
"C:\Users\Admin\AppData\Local\Temp\Pago.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\xvxfd.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Roaming\xvxfd.sfx.exe
xvxfd.sfx.exe -pgdpodHghkffiqewhkenfukjvcfjmvzgdbwvhlnbmcgjSKrgqdkfWEgunyngfionJjgbghjfmfhncknnsRumcjuzycGfhfjmfgjkfbracncgvoGgcjfimaabihqmkjkf -dC:\Users\Admin\AppData\Roaming
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\xvxfd.exe
"C:\Users\Admin\AppData\Roaming\xvxfd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\xvxfd.exe
C:\Users\Admin\AppData\Roaming\xvxfd.exe
5⤵
- Executes dropped EXE
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xvxfd.bat

Filesize
155B

MD5
48cc12502ba67cc623b77406fe8b4d3f

SHA1
64eb6494433226399f0bff9f21971d054adc93b2

SHA256
d5df28c2161494f02dcb9e672927c74aa66f2c390668000f0cbc65fa2307e8d2

SHA512
0da2192987fee8ae2c5d694c8768574728f10a3e2380c531f5ba4493e9dede2dad243d55c3fa32400b49e42d7c1189ebfa7c77225697c6f37a1d927e5096442c

Download Submit
C:\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
C:\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
C:\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
C:\Users\Admin\AppData\Roaming\xvxfd.sfx.exe

Filesize
1.1MB

MD5
b574bd5cba33268ebe659b2c5ecebcd0

SHA1
404bd0181b06f2959d30147ade6282c3fde0b2e8

SHA256
0a959900f85b4ce16162922803176e9a587931ab36347f2217a5e542c2578191

SHA512
a96e283e6ad4aae467e3c95337173246dbf3878c098a83981c4fd384f99bb6d2ee040f0af34081222f22947e9e29943eff48d850a63f3030aee1dcfead16ab6e

Download Submit
C:\Users\Admin\AppData\Roaming\xvxfd.sfx.exe

Filesize
1.1MB

MD5
b574bd5cba33268ebe659b2c5ecebcd0

SHA1
404bd0181b06f2959d30147ade6282c3fde0b2e8

SHA256
0a959900f85b4ce16162922803176e9a587931ab36347f2217a5e542c2578191

SHA512
a96e283e6ad4aae467e3c95337173246dbf3878c098a83981c4fd384f99bb6d2ee040f0af34081222f22947e9e29943eff48d850a63f3030aee1dcfead16ab6e

Download Submit
\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
\Users\Admin\AppData\Roaming\xvxfd.exe

Filesize
1.1MB

MD5
237faeb4da1c41cbce2ed05373fb0a99

SHA1
d013d2c627cae478c8b3c8c0b866ce9a4ff3f29b

SHA256
06a4b87db460ec80e2585b05d07c9ca022a8a50621f6f48f81776b8d634cbc86

SHA512
0aa021103959ca48cd1226f5f0925adde886087c263de74efca00c56eb0c73be68b19ea5705bccbc11bd8e807a9f10a649575dfd8d3ebe694c0c66db8404c100

Download Submit
\Users\Admin\AppData\Roaming\xvxfd.sfx.exe

Filesize
1.1MB

MD5
b574bd5cba33268ebe659b2c5ecebcd0

SHA1
404bd0181b06f2959d30147ade6282c3fde0b2e8

SHA256
0a959900f85b4ce16162922803176e9a587931ab36347f2217a5e542c2578191

SHA512
a96e283e6ad4aae467e3c95337173246dbf3878c098a83981c4fd384f99bb6d2ee040f0af34081222f22947e9e29943eff48d850a63f3030aee1dcfead16ab6e

Download Submit
memory/680-55-0x0000000000000000-mapping.dmp

Download
memory/1112-59-0x0000000000000000-mapping.dmp

Download
memory/1500-72-0x00000000004581BE-mapping.dmp

Download
memory/2012-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/2020-66-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x0000000000D70000-0x0000000000E8E000-memory.dmp

Filesize
1.1MB

Download
memory/2020-70-0x0000000007250000-0x000000000738C000-memory.dmp

Filesize
1.2MB

Download