Analysis
-
max time kernel
225s -
max time network
283s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe
Resource
win10v2004-20221111-en
General
-
Target
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe
-
Size
70KB
-
MD5
2d21290a4ac030e7b7c1f8bb9e36dc52
-
SHA1
cff38cae60982e275fe78b6c816b2c0207323ea1
-
SHA256
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5
-
SHA512
f748abb71715558947dd39c5359cb81420517296c50d58830d51f8245d511e461219a92cbb4a753d3066b83f30ab04814be68d1b86fc2d69cfd606b953bc902d
-
SSDEEP
1536:jX0JlJNe1BlG+Pve7Bmx+qoDw60loBnmvPFdLujEKX49yQvEpj/Dp:jX0JlqrlfPv8Ix+qoqnNdLuxoyQvEpXp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
scvhost.exepid process 4088 scvhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jklVersion = "1.1" a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scvhost.exe = "C:\\Users\\Public\\scvhost.exe" a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kID = "17" a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exescvhost.exepid process 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe 4088 scvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exescvhost.exedescription pid process Token: SeDebugPrivilege 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe Token: SeDebugPrivilege 4088 scvhost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exescvhost.exepid process 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe 4088 scvhost.exe 4088 scvhost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exedescription pid process target process PID 2360 wrote to memory of 4088 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe scvhost.exe PID 2360 wrote to memory of 4088 2360 a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe scvhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe"C:\Users\Admin\AppData\Local\Temp\a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Public\scvhost.exe"C:\Users\Public\scvhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD52d21290a4ac030e7b7c1f8bb9e36dc52
SHA1cff38cae60982e275fe78b6c816b2c0207323ea1
SHA256a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5
SHA512f748abb71715558947dd39c5359cb81420517296c50d58830d51f8245d511e461219a92cbb4a753d3066b83f30ab04814be68d1b86fc2d69cfd606b953bc902d
-
Filesize
70KB
MD52d21290a4ac030e7b7c1f8bb9e36dc52
SHA1cff38cae60982e275fe78b6c816b2c0207323ea1
SHA256a181986f717715a4b8a39767f023adb834e8f25164e4cf9e7db3ac0abe4759b5
SHA512f748abb71715558947dd39c5359cb81420517296c50d58830d51f8245d511e461219a92cbb4a753d3066b83f30ab04814be68d1b86fc2d69cfd606b953bc902d