915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
Size

1.5MB
MD5

d024a15e3aca2d00fb08630d658a0908
SHA1

539176c120e436f315d036731a12368fa9eae0df
SHA256

915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73
SHA512

b7d9e1b5daf0b58be3cd179ebca4953fc7648a5d8e3d4259e27b41871945a97f1688a67842b636532cf5761813790ba3dcf20a269092f8cce16e31b6ae9b29a1
SSDEEP

24576:dcqmv1tJkM75eUV5zea9DVe2FuNc6NAJgB8Z7GXfX8jOQa74QQJbNQKAmRaWTRom:mv1x51V5Re2oN3ACB8UvMwQJhHRjogGu

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scrss.exe = "\"scrss.exe \""	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1908	setup32.exe
1396	scrss.exe

Loads dropped DLL 10 IoCs

pid	Process
536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1396	scrss.exe
1396	scrss.exe
1396	scrss.exe
1396	scrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
836	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
916	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe
1908	setup32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 536 wrote to memory of 1908	536	915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe	28
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 916	1908	setup32.exe	29
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1396	1908	setup32.exe	30
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1908 wrote to memory of 1756	1908	setup32.exe	31
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 1756 wrote to memory of 528	1756	cmd.exe	33
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34
PID 528 wrote to memory of 836	528	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe
"C:\Users\Admin\AppData\Local\Temp\915cc6e0b4eb3bd12e5f1919b66de5e3acfbcdc72b5cce6c5c0c656e1d9d1c73.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\mesaj2.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\scrss.exe
    "C:\Users\Admin\AppData\Local\Temp\scrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"scrss.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"scrss.exe \"" /f
        5⤵
        Adds policy Run key to start application
        Modifies registry key
        
        PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
136B

MD5
2cd204544a454c7e443f9b55ec817484

SHA1
67e9dea6ba52997bb1212a1b04b68f8ddb0ab563

SHA256
04f1b243de434d188191b8cea9b84e292a8a104d8eae8ab435fe480155caef7a

SHA512
173eefc8d307a0d98dcb484a1a865337295279df86d44c41ebf722306de6ece113bc0a0bec2aa5eb51c71eb40c266b1e1f371547dc653c77fc2c33e5c99e5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\mesaj2.txt

Filesize
871B

MD5
2f64c639ad8f05204f4ae397c52acc8c

SHA1
7de09f1b781703926c6a33f1e5d9c0630c40e405

SHA256
a8ac437f75f8ff37d897e301bf8d759e400981f2945510feb86ff4818d9ca703

SHA512
cc1752be57a9bb6fe274291ff4d611c1cd39f6b960967c684cd2a02b7d24cd00b2537d1ab42ef97557fe9c886b50586a7003245aff46ee66713361f102b59bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
\Users\Admin\AppData\Local\Temp\ntldr.dll

Filesize
221KB

MD5
85d6d521d2a3492d0432080d277fa896

SHA1
bb72a13d3b3a92c043a5da02196fc74560a24e6d

SHA256
faf4fe2b8b84c033c7fe29ed872f3cefadb179505d23ab899a543def4d2b5d68

SHA512
83b11ad9afc4a42fdeff4bb0de6c9a336d090a6ea0686849100b7391c9bf6513d3e36655ad72ae27f9f29ef6bcafb7904ecdecf68ef0f23cef27b63e6ae83cb2

Download Submit
\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
\Users\Admin\AppData\Local\Temp\scrss.exe

Filesize
475KB

MD5
626049f6ea3e5d975eff06b51565f824

SHA1
be83640e0ea42419212e0b0a9f9461f7306464b1

SHA256
8f99c2bbd3c147a31136f4568878e6aa2d40a07abbb5ea8a82736546bb5fac5c

SHA512
08f7a3f16aa054e82ab96b8953ba91cfe867c8856f16e1256fd145ce6832f43432789fef7ae5f0723c1b2ed79c0155282231b4057e9e632009e9574b6d0f2f4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup32.exe

Filesize
1.2MB

MD5
4378197241e62a4327b2ebd5b7fa9a0b

SHA1
0279c67adae8f0fc436b56834c77afb7a1b981fe

SHA256
c2bf1e40d93d80d84993a0a8fa24f53a2ce3f1f1b1315e628fe99e37637261ee

SHA512
679ef8116b587b3ebdec358ef8c73e3a2eacd835ceb27193425020892e052d06a0dc1ab486bf52944f2c2960bd1449279acb0fe08630848f1a673742cc830a58

Download Submit
memory/536-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download