da943991512f6011b07e4779818ae4ab8506a6a736f3171e73564795e52618b5

Analysis

max time kernel
145s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe
Size

246KB
MD5

00b5d45433391146ce98cd70a91bef08
SHA1

7649c554e87f6ea21ba86bb26ea39521d5d18151
SHA256

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f
SHA512

47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1
SSDEEP

6144:ExQk9lATVXXbWV6aozMB/QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ+:99r4+M8mRyAxqRwu0SExjA6JvsheijLx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MSPavilion.exe

pid process

1752 MSPavilion.exe
Loads dropped DLL 1 IoCs

Processes:

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe

pid process

1280 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe

pid	process
1752	MSPavilion.exe

pid	process
1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSPavilion = "C:\\Users\\Admin\\AppData\\Roaming\\Pavilion\\MSPavilion.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exeMSPavilion.execsc.exe

description	pid	process	target process
PID 1280 wrote to memory of 1892	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1280 wrote to memory of 1892	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1280 wrote to memory of 1892	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1280 wrote to memory of 1892	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1280 wrote to memory of 1752	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1280 wrote to memory of 1752	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1280 wrote to memory of 1752	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1280 wrote to memory of 1752	1280	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1752 wrote to memory of 1000	1752	MSPavilion.exe	csc.exe
PID 1752 wrote to memory of 1000	1752	MSPavilion.exe	csc.exe
PID 1752 wrote to memory of 1000	1752	MSPavilion.exe	csc.exe
PID 1752 wrote to memory of 1000	1752	MSPavilion.exe	csc.exe
PID 1000 wrote to memory of 1288	1000	csc.exe	cvtres.exe
PID 1000 wrote to memory of 1288	1000	csc.exe	cvtres.exe
PID 1000 wrote to memory of 1288	1000	csc.exe	cvtres.exe
PID 1000 wrote to memory of 1288	1000	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe
"C:\Users\Admin\AppData\Local\Temp\2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\reg.exe
"reg.exe" import C:\Users\Admin\AppData\Local\Temp\tmpF3D2.reg
2⤵
- Adds Run key to start application
PID:1892

C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe
"C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5zas4sr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33DE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC33CE.tmp"
4⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES33DE.tmp

Filesize
1KB

MD5
3ad996eb568251a49a6a4fd004bd6c2f

SHA1
663fbf6cfea49e8b31849e1c1057c9b6dfbeb59e

SHA256
69d197ae3868fec0af25eaf86d290cb29d66c1ecb60a94f02ed293f17808410b

SHA512
ca4da88f0e5d65a705c99376712ac8cd3a36a7aef5a7be177495b1a8e21b7b1870da0efbe4216078798df94ee44b6e1a18999db6f91dd68d2ccf3b29271b2985

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5zas4sr.dll

Filesize
244KB

MD5
20b5269b5967f05d3b5e40a89ca89920

SHA1
b61c78e398dc5bc038df8b1432741df8fa841054

SHA256
9e80e152d0432f1326d617d218c35238c2b6be6cded57d81af05c3ce77961b22

SHA512
e39ad1c3ce8cb00d20d43cf146117e7c5ced60dc88661da992dc576210c93786afd8116179ee7cff757facd50b4bb53515f58e6f66f9164e49a70442fa4af161

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3D2.reg

Filesize
182B

MD5
747d7f6e57d777bca0ffc1ee939c2b6f

SHA1
40d26cf07a3c3be8403f0dbadb46bf072d009b04

SHA256
6bf0fda6b6693e83198f4e32b1f976b8147921abf359d7c7eeb773448365048b

SHA512
f450df659169058e35f31910d4aab7cdd88a47384cf9ef6b7f2b3ded6cf45aecbf561ba5410d433f31922c0690d60b850084c96030cd1515d58f38c506fd9ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe

Filesize
246KB

MD5
00b5d45433391146ce98cd70a91bef08

SHA1
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

SHA512
47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1

Download Submit
C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe

Filesize
246KB

MD5
00b5d45433391146ce98cd70a91bef08

SHA1
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

SHA512
47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC33CE.tmp

Filesize
652B

MD5
273bbd9fd028cfc074e0f244a12c3c92

SHA1
24d8d4f5b079d58948d35bddc4ee3f8a8b766464

SHA256
80b994820a988ba88a39463640a9dcdef7421f50f234868c9863d74ea4ee3c26

SHA512
a603494cc207dabbba8c29f87a0ebd265fea2ba0575d3d40fbd24ce0f1719684134dd68f20390c066c6047ad60f0aac0507e942a06476a8b07252ba9f1c3de3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5zas4sr.0.cs

Filesize
633KB

MD5
3eb8f5507314f5c9fd5a30b525eda96e

SHA1
10c45a73c5dbb8891058981072f94416fcbb19ff

SHA256
1020932902fbdfba1121650fbf2f0e015e3bb3a8cbf4181c2d0f09dd0f15a465

SHA512
7ad355b8bed45be882b034dc366c2753730f886d8731ac0d2c2a0e8894e0a53df985f0e0955027d2ceb5d0dc927f9adedbefacfa954889099ceb291ac091e518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5zas4sr.cmdline

Filesize
589B

MD5
76644433dc52480fd2c30c914c1eed9f

SHA1
8bb56055850e212b6a82e5563b69fcd34f43e8dd

SHA256
02e1c84826fd941ccd6b49c9fa9ef377aaa5e77cbbfe69d3f4c5b85adce610ff

SHA512
923c936d08706329f646ce85c0e86927830adfa73b488928b4cebbcd05ee2637831bf0c74088766aed6a10ef5f796ea03bfae11bd7e83cb0e21aea051eae9d53

Download Submit
\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe

Filesize
246KB

MD5
00b5d45433391146ce98cd70a91bef08

SHA1
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

SHA512
47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1

Download Submit
memory/1000-65-0x0000000000000000-mapping.dmp

Download
memory/1280-63-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-57-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-68-0x0000000000000000-mapping.dmp

Download
memory/1752-64-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-59-0x0000000000000000-mapping.dmp

Download
memory/1752-72-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-55-0x0000000000000000-mapping.dmp

Download