39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134

Analysis

max time kernel
131s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
Size

1.1MB
MD5

828ecb0f5803a567766468c175b9edfc
SHA1

b3043d9553f70b32275de21646a59a89c950649f
SHA256

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134
SHA512

44b866d6b7aa48ff62eed448f4b04b8b5fd0544cdd731febb9b7453a4c88dc9fd5896811c21a56ab668f38b76e37057fb91ef6041a6e5e5fb9a02884e3aa9795
SSDEEP

24576:nc//////VTfz84KYWx1h17op53+mUDkubit+nCTJu41sq9t4akdqAQ13FuG:nc//////VTA49Wxn1g5umUDkYno19AQ1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

scvhosts.exeÂÖÅÌ¹ÜÀíÕ¾.exescvhostsroulette_Group.exe

pid process

888 scvhosts.exe
580 ÂÖÅÌ¹ÜÀíÕ¾.exe
892 scvhosts
1700 roulette_Group.exe

pid	process
888	scvhosts.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe
892	scvhosts
1700	roulette_Group.exe

Loads dropped DLL 8 IoCs

Processes:

cmd.execmd.exescvhosts.exeÂÖÅÌ¹ÜÀíÕ¾.exe

pid	process
1928	cmd.exe
2016	cmd.exe
888	scvhosts.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe
580	ÂÖÅÌ¹ÜÀíÕ¾.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run	scvhosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scvhosts = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\scvhosts\""	scvhosts.exe

Drops file in Program Files directory 11 IoCs

Processes:

ÂÖÅÌ¹ÜÀíÕ¾.exescvhosts.exe

description	ioc	process
File created	C:\Program Files (x86)\轮盘管理站\__tmp_rar_sfx_access_check_7080822	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files (x86)\轮盘管理站\update\set.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update\set.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files (x86)\轮盘管理站\roulette_Group.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\roulette_Group.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files (x86)\轮盘管理站\update\update.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update\update.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

scvhosts

description	pid	process
Token: SeIncBasePriorityPrivilege	892	scvhosts
Token: SeIncBasePriorityPrivilege	892	scvhosts
Token: SeIncBasePriorityPrivilege	892	scvhosts

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.execmd.execmd.exescvhosts.exeÂÖÅÌ¹ÜÀíÕ¾.exe

description	pid	process	target process
PID 1048 wrote to memory of 1928	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 1928	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 1928	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 1928	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 1928 wrote to memory of 888	1928	cmd.exe	scvhosts.exe
PID 1928 wrote to memory of 888	1928	cmd.exe	scvhosts.exe
PID 1928 wrote to memory of 888	1928	cmd.exe	scvhosts.exe
PID 1928 wrote to memory of 888	1928	cmd.exe	scvhosts.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 2016 wrote to memory of 580	2016	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 888 wrote to memory of 892	888	scvhosts.exe	scvhosts
PID 888 wrote to memory of 892	888	scvhosts.exe	scvhosts
PID 888 wrote to memory of 892	888	scvhosts.exe	scvhosts
PID 888 wrote to memory of 892	888	scvhosts.exe	scvhosts
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 580 wrote to memory of 1700	580	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe

C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
"C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\scvhosts.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:580

C:\Program Files (x86)\轮盘管理站\roulette_Group.exe
"C:\Program Files (x86)\轮盘管理站\roulette_Group.exe"
4⤵
- Executes dropped EXE
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\scvhosts
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
Filesize
357KB

MD5
f962bbe11ff07bc3c35e0a7df48ac8a5

SHA1
43d9965a1ebfc225ccbafb007033fd102408ebf2

SHA256
483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b

SHA512
24cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
Filesize
357KB

MD5
f962bbe11ff07bc3c35e0a7df48ac8a5

SHA1
43d9965a1ebfc225ccbafb007033fd102408ebf2

SHA256
483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b

SHA512
24cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e

Download Submit
\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\scvhosts
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
\Users\Admin\AppData\Local\Temp\scvhosts.exe
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
Filesize
357KB

MD5
f962bbe11ff07bc3c35e0a7df48ac8a5

SHA1
43d9965a1ebfc225ccbafb007033fd102408ebf2

SHA256
483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b

SHA512
24cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e

Download Submit
memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/888-58-0x0000000000000000-mapping.dmp

Download
memory/888-63-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/892-67-0x0000000000000000-mapping.dmp

Download
memory/1700-75-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x0000000000000000-mapping.dmp

Download
memory/2016-55-0x0000000000000000-mapping.dmp

Download