8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
Size

148KB
MD5

ac467958a4e9293138985ea4f3f5242c
SHA1

0d5cd02e0b627e6be64eb3209306b3b3f822d493
SHA256

8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85
SHA512

122f81d2689562f69604801884cf3f4950fb6253234c82f896402bd908db1c808db137706de01d29d58907bdee77454bb1acac00be522af96f5c5e9666e426e6
SSDEEP

3072:R45BVnzPVigj6G7gW1lktdVbKPkKE9qKIuD4oQZiEt60:gBVz9Fj7b1eDvXIoWV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cvvaux.exe

Executes dropped EXE 1 IoCs

pid	Process
1924	cvvaux.exe

Loads dropped DLL 2 IoCs

pid	Process
740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /Y"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /Z"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /L"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /B"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /g"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /J"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /s"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /e"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /R"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /S"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /I"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /E"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /K"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /z"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /x"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /r"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /W"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /u"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /G"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /M"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /k"	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /y"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /X"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /T"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /w"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /m"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /a"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /V"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /t"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /A"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /k"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /c"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /N"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /O"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /l"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /C"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /f"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /H"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /p"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /i"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /d"	cvvaux.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /D"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /F"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /b"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /h"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /n"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /q"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /j"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /P"	cvvaux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvvaux = "C:\\Users\\Admin\\cvvaux.exe /o"	cvvaux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe
1924	cvvaux.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
1924	cvvaux.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1924	740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe	27
PID 740 wrote to memory of 1924	740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe	27
PID 740 wrote to memory of 1924	740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe	27
PID 740 wrote to memory of 1924	740	8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe	27

C:\Users\Admin\AppData\Local\Temp\8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe
"C:\Users\Admin\AppData\Local\Temp\8008adcf684ec024746b220458cd3f7f6538228b9b52a6194527fd7b42a1ec85.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\cvvaux.exe
  "C:\Users\Admin\cvvaux.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cvvaux.exe

Filesize
148KB

MD5
b923ab040de31f8ffe8b0ef5cffd1dbe

SHA1
8aaf4e27a0ef3ea757a3a60fcfbccc04948c7cd7

SHA256
441b1cc8ff06a464275e878a5524beb16f5f1c660724fb83121a7c80a8b944b3

SHA512
62ebdf971ca25fe3b66029ce7904e09e28773a10236a56a8581d05c46f7b939b27925b188d64928d80f1de5780d04e56cea957c2af64dd921ca369b984363987

Download Submit
C:\Users\Admin\cvvaux.exe

Filesize
148KB

MD5
b923ab040de31f8ffe8b0ef5cffd1dbe

SHA1
8aaf4e27a0ef3ea757a3a60fcfbccc04948c7cd7

SHA256
441b1cc8ff06a464275e878a5524beb16f5f1c660724fb83121a7c80a8b944b3

SHA512
62ebdf971ca25fe3b66029ce7904e09e28773a10236a56a8581d05c46f7b939b27925b188d64928d80f1de5780d04e56cea957c2af64dd921ca369b984363987

Download Submit
\Users\Admin\cvvaux.exe

Filesize
148KB

MD5
b923ab040de31f8ffe8b0ef5cffd1dbe

SHA1
8aaf4e27a0ef3ea757a3a60fcfbccc04948c7cd7

SHA256
441b1cc8ff06a464275e878a5524beb16f5f1c660724fb83121a7c80a8b944b3

SHA512
62ebdf971ca25fe3b66029ce7904e09e28773a10236a56a8581d05c46f7b939b27925b188d64928d80f1de5780d04e56cea957c2af64dd921ca369b984363987

Download Submit
\Users\Admin\cvvaux.exe

Filesize
148KB

MD5
b923ab040de31f8ffe8b0ef5cffd1dbe

SHA1
8aaf4e27a0ef3ea757a3a60fcfbccc04948c7cd7

SHA256
441b1cc8ff06a464275e878a5524beb16f5f1c660724fb83121a7c80a8b944b3

SHA512
62ebdf971ca25fe3b66029ce7904e09e28773a10236a56a8581d05c46f7b939b27925b188d64928d80f1de5780d04e56cea957c2af64dd921ca369b984363987

Download Submit
memory/740-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1924-59-0x0000000000000000-mapping.dmp

Download