c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5

Analysis

max time kernel
93s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
Size

116KB
MD5

8f3bdc938cb84ce209a4b522127d053c
SHA1

8dabcff7888d9d2716c826fd0bd5c594e867bfaa
SHA256

c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5
SHA512

641a36f880c833ba6548aa1de3ae795509b93301f48b64d50d02566db6837457679f8f78ca30b1742c9d2691b7b645f03a55a8ac96278ee988df27600cc2c574
SSDEEP

3072:g/oEsNNEK/oVQ0nEIgfKDSRGO5508x/haO8T2rSRcz:g/oXLJ/omZ7dg7+z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4296	svvost.exe
5020	winlig.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Fonts\svvost.exe	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
File opened for modification	C:\WINDOWS\Fonts\winlig.exe	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3132	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	79
PID 4084 wrote to memory of 3132	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	79
PID 4084 wrote to memory of 3132	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	79
PID 3132 wrote to memory of 4900	3132	cmd.exe	81
PID 3132 wrote to memory of 4900	3132	cmd.exe	81
PID 3132 wrote to memory of 4900	3132	cmd.exe	81
PID 4900 wrote to memory of 4916	4900	net.exe	82
PID 4900 wrote to memory of 4916	4900	net.exe	82
PID 4900 wrote to memory of 4916	4900	net.exe	82
PID 4084 wrote to memory of 4296	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	83
PID 4084 wrote to memory of 4296	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	83
PID 4084 wrote to memory of 4296	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	83
PID 4084 wrote to memory of 5020	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	84
PID 4084 wrote to memory of 5020	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	84
PID 4084 wrote to memory of 5020	4084	c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe	84

C:\Users\Admin\AppData\Local\Temp\c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe
"C:\Users\Admin\AppData\Local\Temp\c3852859c8e186f7ddd636fcda83a26f2c302672d284039cde53050ff34a5bd5.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:4916
- C:\WINDOWS\Fonts\svvost.exe
  "C:\WINDOWS\Fonts\svvost.exe"
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\WINDOWS\Fonts\winlig.exe
  "C:\WINDOWS\Fonts\winlig.exe"
  2⤵
  - Executes dropped EXE
  PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Fonts\winlig.exe

Filesize
36KB

MD5
bd74cfe59c83f8cc6d4066e46af6de63

SHA1
19220986deb0fa6eb13afa5594d45e8270eb204d

SHA256
202fc7e7503e03e6c5bf93aea9b888d9af83fa85407fb23ee3f092267a8d6254

SHA512
6534c5f3b6ed203c822c53a20a4f4bd3e682f35ca06efe756f0f06ea8dbef38d82895dde1677d5e071fcaef41cd8e4681df6e40f9db39d88017188b2dbc30072

Download Submit
C:\Windows\Fonts\svvost.exe

Filesize
13KB

MD5
0b59a3127044768e3eb9f124e46543f2

SHA1
c6d1dab3f8b191fd2d43868243f75b023d6050ce

SHA256
8b623c47e8cfc1b3f98d956d128adf49a8f7c76e27e5d3bde05ed2c84fba5a4d

SHA512
0265a58e5d8fe9de0d51b10a95d02f0ad772c5b7914e32323ab5b902412d70413ac3284292bbcc36e59892e12a50abff5ddfa716aa4eb077af7c89ccf475bc92

Download Submit
C:\Windows\Fonts\winlig.exe

Filesize
36KB

MD5
bd74cfe59c83f8cc6d4066e46af6de63

SHA1
19220986deb0fa6eb13afa5594d45e8270eb204d

SHA256
202fc7e7503e03e6c5bf93aea9b888d9af83fa85407fb23ee3f092267a8d6254

SHA512
6534c5f3b6ed203c822c53a20a4f4bd3e682f35ca06efe756f0f06ea8dbef38d82895dde1677d5e071fcaef41cd8e4681df6e40f9db39d88017188b2dbc30072

Download Submit
memory/4084-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4084-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5020-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download