c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5

General

Target

c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
Size

116KB
MD5

8f3bdc938cb84ce209a4b522127d053c
SHA1

8dabcff7888d9d2716c826fd0bd5c594e867bfaa
SHA256

c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5
SHA512

641a36f880c833ba6548aa1de3ae795509b93301f48b64d50d02566db6837457679f8f78ca30b1742c9d2691b7b645f03a55a8ac96278ee988df27600cc2c574
SSDEEP

3072:g/oEsNNEK/oVQ0nEIgfKDSRGO5508x/haO8T2rSRcz:g/oXLJ/omZ7dg7+z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1520	svvost.exe
1688	winlig.exe

Loads dropped DLL 4 IoCs

pid	Process
1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Fonts\svvost.exe	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
File opened for modification	C:\WINDOWS\Fonts\winlig.exe	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1520	svvost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 948	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	28
PID 1780 wrote to memory of 948	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	28
PID 1780 wrote to memory of 948	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	28
PID 1780 wrote to memory of 948	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	28
PID 948 wrote to memory of 684	948	cmd.exe	30
PID 948 wrote to memory of 684	948	cmd.exe	30
PID 948 wrote to memory of 684	948	cmd.exe	30
PID 948 wrote to memory of 684	948	cmd.exe	30
PID 684 wrote to memory of 1160	684	net.exe	31
PID 684 wrote to memory of 1160	684	net.exe	31
PID 684 wrote to memory of 1160	684	net.exe	31
PID 684 wrote to memory of 1160	684	net.exe	31
PID 1780 wrote to memory of 1520	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	32
PID 1780 wrote to memory of 1520	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	32
PID 1780 wrote to memory of 1520	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	32
PID 1780 wrote to memory of 1520	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	32
PID 1780 wrote to memory of 1688	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	33
PID 1780 wrote to memory of 1688	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	33
PID 1780 wrote to memory of 1688	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	33
PID 1780 wrote to memory of 1688	1780	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	33

C:\Users\Admin\AppData\Local\Temp\c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
"C:\Users\Admin\AppData\Local\Temp\c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1160
- C:\WINDOWS\Fonts\svvost.exe
  "C:\WINDOWS\Fonts\svvost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\WINDOWS\Fonts\winlig.exe
  "C:\WINDOWS\Fonts\winlig.exe"
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\svvost.exe

Filesize
13KB

MD5
0b59a3127044768e3eb9f124e46543f2

SHA1
c6d1dab3f8b191fd2d43868243f75b023d6050ce

SHA256
8b623c47e8cfc1b3f98d956d128adf49a8f7c76e27e5d3bde05ed2c84fba5a4d

SHA512
0265a58e5d8fe9de0d51b10a95d02f0ad772c5b7914e32323ab5b902412d70413ac3284292bbcc36e59892e12a50abff5ddfa716aa4eb077af7c89ccf475bc92

Download Submit
C:\Windows\Fonts\winlig.exe

Filesize
36KB

MD5
bd74cfe59c83f8cc6d4066e46af6de63

SHA1
19220986deb0fa6eb13afa5594d45e8270eb204d

SHA256
202fc7e7503e03e6c5bf93aea9b888d9af83fa85407fb23ee3f092267a8d6254

SHA512
6534c5f3b6ed203c822c53a20a4f4bd3e682f35ca06efe756f0f06ea8dbef38d82895dde1677d5e071fcaef41cd8e4681df6e40f9db39d88017188b2dbc30072

Download Submit
\Windows\Fonts\svvost.exe

Filesize
13KB

MD5
0b59a3127044768e3eb9f124e46543f2

SHA1
c6d1dab3f8b191fd2d43868243f75b023d6050ce

SHA256
8b623c47e8cfc1b3f98d956d128adf49a8f7c76e27e5d3bde05ed2c84fba5a4d

SHA512
0265a58e5d8fe9de0d51b10a95d02f0ad772c5b7914e32323ab5b902412d70413ac3284292bbcc36e59892e12a50abff5ddfa716aa4eb077af7c89ccf475bc92

Download Submit
\Windows\Fonts\svvost.exe

Filesize
13KB

MD5
0b59a3127044768e3eb9f124e46543f2

SHA1
c6d1dab3f8b191fd2d43868243f75b023d6050ce

SHA256
8b623c47e8cfc1b3f98d956d128adf49a8f7c76e27e5d3bde05ed2c84fba5a4d

SHA512
0265a58e5d8fe9de0d51b10a95d02f0ad772c5b7914e32323ab5b902412d70413ac3284292bbcc36e59892e12a50abff5ddfa716aa4eb077af7c89ccf475bc92

Download Submit
\Windows\Fonts\winlig.exe

Filesize
36KB

MD5
bd74cfe59c83f8cc6d4066e46af6de63

SHA1
19220986deb0fa6eb13afa5594d45e8270eb204d

SHA256
202fc7e7503e03e6c5bf93aea9b888d9af83fa85407fb23ee3f092267a8d6254

SHA512
6534c5f3b6ed203c822c53a20a4f4bd3e682f35ca06efe756f0f06ea8dbef38d82895dde1677d5e071fcaef41cd8e4681df6e40f9db39d88017188b2dbc30072

Download Submit
\Windows\Fonts\winlig.exe

Filesize
36KB

MD5
bd74cfe59c83f8cc6d4066e46af6de63

SHA1
19220986deb0fa6eb13afa5594d45e8270eb204d

SHA256
202fc7e7503e03e6c5bf93aea9b888d9af83fa85407fb23ee3f092267a8d6254

SHA512
6534c5f3b6ed203c822c53a20a4f4bd3e682f35ca06efe756f0f06ea8dbef38d82895dde1677d5e071fcaef41cd8e4681df6e40f9db39d88017188b2dbc30072

Download Submit
memory/1688-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1780-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1780-69-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/1780-70-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/1780-73-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/1780-74-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing