277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc

Analysis

max time kernel
151s
max time network
105s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
Size

208KB
MD5

a014074fe7a802a5ed06d131cd755e40
SHA1

3d2957b9dbb5d9850a038245aef57d9a4d5f6214
SHA256

277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc
SHA512

247dd43273ca7155093dcc791eb82ddbea31afe353956d6d39d80fa8a59db9f828658410492a68f8a5c755a85f6d3c5f58dbfdd843ab472456b973fbb3c23499
SSDEEP

1536:Vfuxw10lxJM5y8w5OZRVmgyDl+cWaxJcveQZNTRSb3EBAR1AlQPsxjheYhpXN5yh:f0OtF2Qo7VsJgisxlYegEX0ZZbW

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1512	svhust.exe
776	svhust.exe
1948	svhust.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1920-83-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1920-85-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1920-86-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1920-89-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1920-90-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1920-93-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1948-119-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1948-121-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1920-127-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1948-123-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1948-131-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/776-132-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1948-133-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1948-135-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/776-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhust = "C:\\Users\\Admin\\AppData\\Roaming\\svhust\\svhust.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svhust.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\system32\\winldr.exe"	svhust.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\winldr.exe	svhust.exe
File opened for modification	C:\Windows\SysWOW64\winldr.exe	svhust.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1512 set thread context of 776	1512	svhust.exe	33
PID 1512 set thread context of 1948	1512	svhust.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe
Token: SeDebugPrivilege	776	svhust.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	svhust.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
1512	svhust.exe
776	svhust.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1076 wrote to memory of 1920	1076	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	28
PID 1920 wrote to memory of 1864	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	29
PID 1920 wrote to memory of 1864	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	29
PID 1920 wrote to memory of 1864	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	29
PID 1920 wrote to memory of 1864	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	29
PID 1864 wrote to memory of 1604	1864	cmd.exe	31
PID 1864 wrote to memory of 1604	1864	cmd.exe	31
PID 1864 wrote to memory of 1604	1864	cmd.exe	31
PID 1864 wrote to memory of 1604	1864	cmd.exe	31
PID 1920 wrote to memory of 1512	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	32
PID 1920 wrote to memory of 1512	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	32
PID 1920 wrote to memory of 1512	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	32
PID 1920 wrote to memory of 1512	1920	277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe	32
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 776	1512	svhust.exe	33
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34
PID 1512 wrote to memory of 1948	1512	svhust.exe	34

C:\Users\Admin\AppData\Local\Temp\277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
"C:\Users\Admin\AppData\Local\Temp\277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe
  "C:\Users\Admin\AppData\Local\Temp\277b2b42c21adf2927e9a42912e39f126cd36f0981fa9b79ff7d205020bff5fc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YFGDM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svhust" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe" /f
      4⤵
      Adds Run key to start application
      PID:1604
- - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
    "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
      "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:776
  - - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
      "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of FindShellTrayWindow
      PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YFGDM.bat

Filesize
141B

MD5
e83a2e0b3c1e03dfb96ffd9924117a45

SHA1
27a3e4ba115ba1bad0bf094f5b97e768d1ece33e

SHA256
655407d94fff9e707712a588d97a2017cc1c9d690a67c688ed0abcb79e452b13

SHA512
5f61686a3b7db3544d83a4f2ce1a75868c7dc266709f72a34eafecc3a26696a985b1912a559aed8f5a2cacbfe26be9beae2374340d1801bb18473de785557480

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
208KB

MD5
c9c553ee2e7b5688b0a58dc364894c8e

SHA1
1efc65ff4993f6501df87ec999dd271f906d537c

SHA256
0b2f709b69ecd44f3d4614417a72b3cf579f688340b9d72744c8f01ead8032f9

SHA512
c9b958171bc44b045001e6886c9a08cdf08f4372e8149121519f6e73ccfdfbb4a3084b213cffc6e386b15f0077243233b08a4f82494d7f7e28b2db214d718575

Download Submit
memory/776-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/776-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1512-106-0x000000000056D000-0x0000000000582000-memory.dmp

Filesize
84KB

Download
memory/1920-94-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1920-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-90-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-83-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-85-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1920-127-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1948-119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-123-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-131-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-121-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-136-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1948-117-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download