Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:42
Static task
static1
Behavioral task
behavioral1
Sample
39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
Resource
win10v2004-20220812-en
General
-
Target
39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
-
Size
1.1MB
-
MD5
828ecb0f5803a567766468c175b9edfc
-
SHA1
b3043d9553f70b32275de21646a59a89c950649f
-
SHA256
39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134
-
SHA512
44b866d6b7aa48ff62eed448f4b04b8b5fd0544cdd731febb9b7453a4c88dc9fd5896811c21a56ab668f38b76e37057fb91ef6041a6e5e5fb9a02884e3aa9795
-
SSDEEP
24576:nc//////VTfz84KYWx1h17op53+mUDkubit+nCTJu41sq9t4akdqAQ13FuG:nc//////VTA49Wxn1g5umUDkYno19AQ1
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
scvhosts.exeÂÖÅ̹ÜÀíÕ¾.exescvhostsroulette_Group.exepid process 888 scvhosts.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe 892 scvhosts 1700 roulette_Group.exe -
Loads dropped DLL 8 IoCs
Processes:
cmd.execmd.exescvhosts.exeÂÖÅ̹ÜÀíÕ¾.exepid process 1928 cmd.exe 2016 cmd.exe 888 scvhosts.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe 580 ÂÖÅ̹ÜÀíÕ¾.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scvhosts.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run scvhosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scvhosts = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\scvhosts\"" scvhosts.exe -
Drops file in Program Files directory 11 IoCs
Processes:
ÂÖÅ̹ÜÀíÕ¾.exescvhosts.exedescription ioc process File created C:\Program Files (x86)\轮盘管理站\__tmp_rar_sfx_access_check_7080822 ÂÖÅ̹ÜÀíÕ¾.exe File created C:\Program Files (x86)\轮盘管理站\update\set.ini ÂÖÅ̹ÜÀíÕ¾.exe File opened for modification C:\Program Files (x86)\轮盘管理站\update\set.ini ÂÖÅ̹ÜÀíÕ¾.exe File opened for modification C:\Program Files (x86)\轮盘管理站\update ÂÖÅ̹ÜÀíÕ¾.exe File created C:\Program Files (x86)\轮盘管理站\roulette_Group.exe ÂÖÅ̹ÜÀíÕ¾.exe File opened for modification C:\Program Files (x86)\轮盘管理站\roulette_Group.exe ÂÖÅ̹ÜÀíÕ¾.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts scvhosts.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts scvhosts.exe File opened for modification C:\Program Files (x86)\轮盘管理站 ÂÖÅ̹ÜÀíÕ¾.exe File created C:\Program Files (x86)\轮盘管理站\update\update.ini ÂÖÅ̹ÜÀíÕ¾.exe File opened for modification C:\Program Files (x86)\轮盘管理站\update\update.ini ÂÖÅ̹ÜÀíÕ¾.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
scvhostsdescription pid process Token: SeIncBasePriorityPrivilege 892 scvhosts Token: SeIncBasePriorityPrivilege 892 scvhosts Token: SeIncBasePriorityPrivilege 892 scvhosts -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.execmd.execmd.exescvhosts.exeÂÖÅ̹ÜÀíÕ¾.exedescription pid process target process PID 1048 wrote to memory of 1928 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 1928 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 1928 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 1928 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 2016 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 2016 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 2016 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1048 wrote to memory of 2016 1048 39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe cmd.exe PID 1928 wrote to memory of 888 1928 cmd.exe scvhosts.exe PID 1928 wrote to memory of 888 1928 cmd.exe scvhosts.exe PID 1928 wrote to memory of 888 1928 cmd.exe scvhosts.exe PID 1928 wrote to memory of 888 1928 cmd.exe scvhosts.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 2016 wrote to memory of 580 2016 cmd.exe ÂÖÅ̹ÜÀíÕ¾.exe PID 888 wrote to memory of 892 888 scvhosts.exe scvhosts PID 888 wrote to memory of 892 888 scvhosts.exe scvhosts PID 888 wrote to memory of 892 888 scvhosts.exe scvhosts PID 888 wrote to memory of 892 888 scvhosts.exe scvhosts PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe PID 580 wrote to memory of 1700 580 ÂÖÅ̹ÜÀíÕ¾.exe roulette_Group.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe"C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\scvhosts.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\scvhosts.exeC:\Users\Admin\AppData\Local\Temp\scvhosts.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exeC:\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Program Files (x86)\轮盘管理站\roulette_Group.exe"C:\Program Files (x86)\轮盘管理站\roulette_Group.exe"4⤵
- Executes dropped EXE
PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\scvhostsFilesize
686KB
MD5222345423b8daced7019d3d3f8f309ea
SHA16f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8
SHA256614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22
SHA5121d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab
-
C:\Users\Admin\AppData\Local\Temp\scvhosts.exeFilesize
686KB
MD5222345423b8daced7019d3d3f8f309ea
SHA16f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8
SHA256614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22
SHA5121d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab
-
C:\Users\Admin\AppData\Local\Temp\scvhosts.exeFilesize
686KB
MD5222345423b8daced7019d3d3f8f309ea
SHA16f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8
SHA256614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22
SHA5121d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab
-
C:\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exeFilesize
357KB
MD5f962bbe11ff07bc3c35e0a7df48ac8a5
SHA143d9965a1ebfc225ccbafb007033fd102408ebf2
SHA256483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b
SHA51224cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e
-
C:\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exeFilesize
357KB
MD5f962bbe11ff07bc3c35e0a7df48ac8a5
SHA143d9965a1ebfc225ccbafb007033fd102408ebf2
SHA256483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b
SHA51224cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e
-
\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
\Program Files (x86)\轮盘管理站\roulette_Group.exeFilesize
693KB
MD55df2dd90179750f503b699c9074ec21c
SHA1b506bd9aa289fd3ce6fd48a31472eec0a65a7023
SHA256622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415
SHA512c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27
-
\Program Files\Common Files\Microsoft Shared\MSInfo\scvhostsFilesize
686KB
MD5222345423b8daced7019d3d3f8f309ea
SHA16f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8
SHA256614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22
SHA5121d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab
-
\Users\Admin\AppData\Local\Temp\scvhosts.exeFilesize
686KB
MD5222345423b8daced7019d3d3f8f309ea
SHA16f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8
SHA256614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22
SHA5121d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab
-
\Users\Admin\AppData\Local\Temp\ÂÖÅ̹ÜÀíÕ¾.exeFilesize
357KB
MD5f962bbe11ff07bc3c35e0a7df48ac8a5
SHA143d9965a1ebfc225ccbafb007033fd102408ebf2
SHA256483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b
SHA51224cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e
-
memory/580-62-0x0000000000000000-mapping.dmp
-
memory/888-58-0x0000000000000000-mapping.dmp
-
memory/888-63-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/892-67-0x0000000000000000-mapping.dmp
-
memory/1700-75-0x0000000000000000-mapping.dmp
-
memory/1928-54-0x0000000000000000-mapping.dmp
-
memory/2016-55-0x0000000000000000-mapping.dmp