Analysis
-
max time kernel
41s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 07:39
Static task
static1
Behavioral task
behavioral1
Sample
ᰮﶹv3.0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ᰮﶹv3.0.exe
Resource
win10v2004-20221111-en
General
-
Target
ᰮﶹv3.0.exe
-
Size
952KB
-
MD5
28d322548a7f25e0d1551812dd8cab84
-
SHA1
9e705638388d032e9e0f91037f7e57175a1cb80a
-
SHA256
320141102e439b1ee028af89550990384b4583643ac989b82c40f250ac26d8ca
-
SHA512
df24fa2f14f1f1976fe82e6ba4e57d4a0405f4842e802912355a80b2e61ab988e737658f251ec90d1b6651f0e1abb5f80b6ce883b653b7542557070253f5b576
-
SSDEEP
12288:AaR8ma6AhFDVaqIlZmqoyWnfP6iDIcIlhTNU+EJFFVQLk77gbGG1QLk:2m3eDVa7lZmwa63lxWVQLkHsQLk
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1952 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
ᰮﶹv3.0.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde ᰮﶹv3.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 ᰮﶹv3.0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ᰮﶹv3.0.exepid process 1884 ᰮﶹv3.0.exe 1884 ᰮﶹv3.0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ᰮﶹv3.0.exedescription pid process target process PID 1884 wrote to memory of 1952 1884 ᰮﶹv3.0.exe WScript.exe PID 1884 wrote to memory of 1952 1884 ᰮﶹv3.0.exe WScript.exe PID 1884 wrote to memory of 1952 1884 ᰮﶹv3.0.exe WScript.exe PID 1884 wrote to memory of 1952 1884 ᰮﶹv3.0.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ᰮﶹv3.0.exe"C:\Users\Admin\AppData\Local\Temp\ᰮﶹv3.0.exe"1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
204B
MD5bf153b89117847171b6497371cff7ed2
SHA1cf21f1ec33eb95cb10e6361ecdf5a7cd0f5b9494
SHA2566e8b2c7f607fd7ab1475162b55258086bc9da7595e3c10d0f439b14754ca4a7b
SHA512a02a597d51fe206c94d0a94bb3214d79359b7792786fcc56135e0f2b466ace2725f2ebfe8d172ebd30b46d7e27c6f11462e04de1a435806db44ecf0b13309cef
-
memory/1884-54-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/1884-55-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1884-57-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/1952-56-0x0000000000000000-mapping.dmp