7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489

General

Target

7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
Size

140KB
MD5

2986b17992a2d9ffad87fd601c685977
SHA1

01a5a995304b78a44516d608490ddbe95a497e26
SHA256

7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489
SHA512

a3d27b739981a4c6981772b7cfbcefef738e6ad2975e826c00cc20e4e3c519ddf5696d945031fb0dcebef5bb54b11b1e7f39961dd292bd2312b5840fc96acff5
SSDEEP

3072:Hb4s/l8iiDXiYukRy9Vd746gh4Z91gCBzTz4y3/UHj7Nzspl+fX/:HB/l0Xi3uyJ7Mhy9dx3s3fv

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServTestDos\Parameters\ServiceDll = "C:\\Windows\\ServTestDos.dll"	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/956-54-0x0000000000ED0000-0x0000000000F17000-memory.dmp	vmprotect
behavioral1/memory/956-55-0x0000000000ED0000-0x0000000000F17000-memory.dmp	vmprotect
\??\c:\windows\servtestdos.dll	vmprotect
behavioral1/memory/1732-58-0x00000000745A0000-0x00000000745E7000-memory.dmp	vmprotect
behavioral1/memory/1732-61-0x00000000745A0000-0x00000000745E7000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

696 cmd.exe

pid	process
696	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe

description	ioc	process
File created	C:\Windows\ServTestDos.dll	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
File opened for modification	C:\Windows\ServTestDos.dll	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe

description	pid	process	target process
PID 956 wrote to memory of 696	956	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe	cmd.exe
PID 956 wrote to memory of 696	956	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe	cmd.exe
PID 956 wrote to memory of 696	956	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe	cmd.exe
PID 956 wrote to memory of 696	956	7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe
"C:\Users\Admin\AppData\Local\Temp\7f5ff5631d39ac56e58d81bf4add4db090824accfd843c617adfd9b11f628489.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7119355.bat" "
2⤵
- Deletes itself
PID:696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ServTestDos
1⤵
- Checks processor information in registry
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7119355.bat
Filesize
239B

MD5
472aeb73e8a6ca5cb3886bd96e5505bb

SHA1
e24df0dcf77369cf037036e9954405b275dea12f

SHA256
7d3c5a2ca963f64d9a98cb22990449b429aa10f2a8a6f511e00336e061eac4c9

SHA512
5c5437f3feba0e9742415866645429262826ec6c1bf33aae85f2c3f627f3b3c8b51162cf15f9cc4ef52aaf741885d349400c368381932e06982a2b26b595f499

Download Submit
\??\c:\windows\servtestdos.dll
Filesize
140KB

MD5
b9f33d2f141ca844a452298ffa705431

SHA1
863c9b23d580813467fe5adbfdabdda62fd10d6b

SHA256
810db9351dcd3e9b7958d558434fcebb03a1e53d4eed34f2ff495c875d475946

SHA512
c8cc36465b9f323363304ba32bd33e319bdeb9258a40680c2158861ad7ad62c8145504b89cb3eba61f42fb11a95ad632c185a93c101e55a0487d1f8075866adc

Download Submit
memory/696-59-0x0000000000000000-mapping.dmp

Download
memory/956-54-0x0000000000ED0000-0x0000000000F17000-memory.dmp

Filesize
284KB

Download
memory/956-55-0x0000000000ED0000-0x0000000000F17000-memory.dmp

Filesize
284KB

Download
memory/956-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1732-58-0x00000000745A0000-0x00000000745E7000-memory.dmp

Filesize
284KB

Download
memory/1732-61-0x00000000745A0000-0x00000000745E7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads