39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134

General

Target

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
Size

1.1MB
MD5

828ecb0f5803a567766468c175b9edfc
SHA1

b3043d9553f70b32275de21646a59a89c950649f
SHA256

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134
SHA512

44b866d6b7aa48ff62eed448f4b04b8b5fd0544cdd731febb9b7453a4c88dc9fd5896811c21a56ab668f38b76e37057fb91ef6041a6e5e5fb9a02884e3aa9795
SSDEEP

24576:nc//////VTfz84KYWx1h17op53+mUDkubit+nCTJu41sq9t4akdqAQ13FuG:nc//////VTA49Wxn1g5umUDkYno19AQ1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

scvhosts.exeÂÖÅÌ¹ÜÀíÕ¾.exescvhostsroulette_Group.exe

pid process

4220 scvhosts.exe
3428 ÂÖÅÌ¹ÜÀíÕ¾.exe
3224 scvhosts
1208 roulette_Group.exe

pid	process
4220	scvhosts.exe
3428	ÂÖÅÌ¹ÜÀíÕ¾.exe
3224	scvhosts
1208	roulette_Group.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ÂÖÅÌ¹ÜÀíÕ¾.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ÂÖÅÌ¹ÜÀíÕ¾.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run	scvhosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhosts = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\scvhosts\""	scvhosts.exe

Drops file in Program Files directory 11 IoCs

Processes:

ÂÖÅÌ¹ÜÀíÕ¾.exescvhosts.exe

description	ioc	process
File created	C:\Program Files (x86)\轮盘管理站\update\set.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update\set.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files (x86)\轮盘管理站\update\update.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files (x86)\轮盘管理站\roulette_Group.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe
File created	C:\Program Files (x86)\轮盘管理站\__tmp_rar_sfx_access_check_240617203	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\update\update.ini	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站\roulette_Group.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe
File opened for modification	C:\Program Files (x86)\轮盘管理站	ÂÖÅÌ¹ÜÀíÕ¾.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

scvhosts

description	pid	process
Token: SeIncBasePriorityPrivilege	3224	scvhosts
Token: SeIncBasePriorityPrivilege	3224	scvhosts
Token: SeIncBasePriorityPrivilege	3224	scvhosts

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.execmd.execmd.exescvhosts.exeÂÖÅÌ¹ÜÀíÕ¾.exe

description	pid	process	target process
PID 2204 wrote to memory of 2840	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2204 wrote to memory of 2840	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2204 wrote to memory of 2840	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2204 wrote to memory of 868	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2204 wrote to memory of 868	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2204 wrote to memory of 868	2204	39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe	cmd.exe
PID 2840 wrote to memory of 4220	2840	cmd.exe	scvhosts.exe
PID 2840 wrote to memory of 4220	2840	cmd.exe	scvhosts.exe
PID 2840 wrote to memory of 4220	2840	cmd.exe	scvhosts.exe
PID 868 wrote to memory of 3428	868	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 868 wrote to memory of 3428	868	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 868 wrote to memory of 3428	868	cmd.exe	ÂÖÅÌ¹ÜÀíÕ¾.exe
PID 4220 wrote to memory of 3224	4220	scvhosts.exe	scvhosts
PID 4220 wrote to memory of 3224	4220	scvhosts.exe	scvhosts
PID 4220 wrote to memory of 3224	4220	scvhosts.exe	scvhosts
PID 3428 wrote to memory of 1208	3428	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 3428 wrote to memory of 1208	3428	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe
PID 3428 wrote to memory of 1208	3428	ÂÖÅÌ¹ÜÀíÕ¾.exe	roulette_Group.exe

C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe
"C:\Users\Admin\AppData\Local\Temp\39b1178e550ab88a46cbb0de820ab66478431802ef076e1a1621aa3c12b16134.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\scvhosts.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4220

C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3428

C:\Program Files (x86)\轮盘管理站\roulette_Group.exe
"C:\Program Files (x86)\轮盘管理站\roulette_Group.exe"
4⤵
- Executes dropped EXE
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
C:\Program Files (x86)\轮盘管理站\roulette_Group.exe
Filesize
693KB

MD5
5df2dd90179750f503b699c9074ec21c

SHA1
b506bd9aa289fd3ce6fd48a31472eec0a65a7023

SHA256
622c3c0450d930e18eab8405532cd0a40ae9a7bf99bc8a6ff21b793340183415

SHA512
c88841dd1ebd48b0840dc2d36c349fee13dcb7de8d8aefc379e813cd8aa96323788c5fd72a994ada59506d38d7dc576a667e0a31b6ba312cb333767e05471f27

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\scvhosts
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
Filesize
686KB

MD5
222345423b8daced7019d3d3f8f309ea

SHA1
6f04a9f181e5a764ed1319c3ee2220a0cfa4e7f8

SHA256
614f5f9c8c07f208436fa14c42a51418ef1cb565c4b71c30708bf2e47c9aab22

SHA512
1d5df1071507b7717c4b71535279b2b9f9a4e0422ad62c8e9dbe272b4c0dbde876911b7cc30dd1ff131e75e71c1aebd5241e62d5e661ed2f9d44416440871eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
Filesize
357KB

MD5
f962bbe11ff07bc3c35e0a7df48ac8a5

SHA1
43d9965a1ebfc225ccbafb007033fd102408ebf2

SHA256
483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b

SHA512
24cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÖÅÌ¹ÜÀíÕ¾.exe
Filesize
357KB

MD5
f962bbe11ff07bc3c35e0a7df48ac8a5

SHA1
43d9965a1ebfc225ccbafb007033fd102408ebf2

SHA256
483d86d75ef252768488f75a622ee9dfed135e5d8ac34a5dd707f82d87bdb29b

SHA512
24cad8ced3b261f3a4fc4654a1fd5c32096e824684491f5cf85de5f8216ddea8a49b68a9c32c61148323f0e61e252fdcaed3030d6606486a6583b30d41da418e

Download Submit
memory/868-133-0x0000000000000000-mapping.dmp

Download
memory/1208-143-0x0000000000000000-mapping.dmp

Download
memory/2840-132-0x0000000000000000-mapping.dmp

Download
memory/3224-140-0x0000000000000000-mapping.dmp

Download
memory/3428-137-0x0000000000000000-mapping.dmp

Download
memory/4220-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads