e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3

Analysis

max time kernel
139s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe
Size

730KB
MD5

28d8cdbaef107da7a4670c80a9dc91d9
SHA1

ece9bf576f8f458850b8ad48db034690e4ab529e
SHA256

e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3
SHA512

208d1a51d216d81b01b2ccd9323a7c1066aae2e1b511fc915ce82e5b3973656e1fb445e1ed5fffccc4cbc546214da7aeb77b0fe15f993608b63cf59c99413106
SSDEEP

12288:cRWNcr8oxncLH0BYXEZyXNbUQI6YrZdzL0wArkRhA6cfUGpXWO4GQQcWcCK7MY2n:3NBIcrctodbUl1larAhA9UsWtGs9Mlnn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svn.exesvn.exe

pid process

1584 svn.exe
1788 svn.exe
Loads dropped DLL 4 IoCs

Processes:

WScript.exesvn.exe

pid process

392 WScript.exe
392 WScript.exe
1584 svn.exe
1584 svn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1560 taskkill.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

svn.exe

pid process

1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
1584 svn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1584 svn.exe
Token: SeDebugPrivilege 1560 taskkill.exe

pid	process
1584	svn.exe
1788	svn.exe

pid	process
392	WScript.exe
392	WScript.exe
1584	svn.exe
1584	svn.exe

pid	process
1560	taskkill.exe

pid	process
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe
1584	svn.exe

description	pid	process
Token: SeDebugPrivilege	1584	svn.exe
Token: SeDebugPrivilege	1560	taskkill.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exeWScript.exesvn.exeWScript.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 392	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 392 wrote to memory of 1584	392	WScript.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1788	1584	svn.exe	svn.exe
PID 1584 wrote to memory of 1660	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1660	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1660	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1660	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1912	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1912	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1912	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1912	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1908	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1908	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1908	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1908	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1292	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1292	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1292	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1292	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1436	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1436	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1436	1584	svn.exe	explorer.exe
PID 1584 wrote to memory of 1436	1584	svn.exe	explorer.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 2000 wrote to memory of 1792	2000	e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe	WScript.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1792 wrote to memory of 1608	1792	WScript.exe	cmd.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe
PID 1608 wrote to memory of 1560	1608	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe
"C:\Users\Admin\AppData\Local\Temp\e83dad3415ee3ca0b095f78619f6cd578ae86c7672e6a0c28270bbd6cfcdc3d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\kl.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe"
4⤵
- Executes dropped EXE
PID:1788

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1912

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1908

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1292

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bat.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\k.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svn.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bat.vbs
Filesize
71B

MD5
04805c1c61d899d44639589c0049c5ef

SHA1
a43efd5588aca4dfb09eeb87924877095715eea1

SHA256
f3215aea801adbc9633e1d471d3b1e1d1cb2bfcf517f95c87a8693fb7aa82b9b

SHA512
9400ef0ac810305f12d03f5a5eced1c3e208e2bdc1fa2be7cd3e6576354b4200890b542313a885d9aef4aff6de9d9509686566923b9d86350c2eac7c7c2f9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\k.bat
Filesize
23B

MD5
57a999f78f7d52d9226723ebd854fd05

SHA1
21bc46100d995eebe8585fb49792478a7861f6ec

SHA256
4c28eb1586f6dd060a1a4d30cb63abeef0d22eabab370a098c6d28d715a32363

SHA512
dd7f89364dfd1c80507b4d2eef7d8975afa9bdcf0f6fd4cd3d199be6f26d31da2375e04e715c6234fdcd6ac723545c982e1ec20b9c5cc76532d331821865d988

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kl.vbs
Filesize
50B

MD5
a480ea8e530c95808c8cb4d5f2d8b9ac

SHA1
06dc46329ba1ea630636f0dab1138a7747db35f3

SHA256
8fb204973876b2c69eacd2878e40164183fc629437a7dad17c763b8b92430e4f

SHA512
6e831a826fb5ea908f5ac5d39f287f9acb6c419669ebb2a2e54f011eb05b6eeaf9699d245f96d6a31eb2b10aeb49e60f8d1021cd98cbc220c007730f99a77816

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\svn.exe
Filesize
824KB

MD5
79e43a8b49465a118c03c88f232353b5

SHA1
c921090091e89b954248d900caa843241588f745

SHA256
00a9d4151baad17a03bc2c6331f0c10cb4c1dcd578ee9ba6b56fde000a8cbdf4

SHA512
548f19bf8edc2655de135918dd0f5a58c49d226765c231cdc8c1d5e8173874cb833d5859d3eb19099e184b02f67bccc91910a5d815b4f4c0315ab1778d40fc72

Download Submit
memory/392-55-0x0000000000000000-mapping.dmp

Download
memory/1560-75-0x0000000000000000-mapping.dmp

Download
memory/1584-64-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-68-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-61-0x0000000000000000-mapping.dmp

Download
memory/1608-73-0x0000000000000000-mapping.dmp

Download
memory/1792-69-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download