39156092712f27714fed918a43876cd6b85c9ad6d3ab6b96fe22e49eb2f34346

General

Target

some one.exe
Size

302KB
MD5

86eb99da387c1c3dd5b592e7b0a5594d
SHA1

aab348d33cafec70d106f22df4da09e1f98cc26c
SHA256

39156092712f27714fed918a43876cd6b85c9ad6d3ab6b96fe22e49eb2f34346
SHA512

a038edcae1503a04f371ac0ed60fcdf640f63a3b63e82f25fd40d834223bcde58e99ffa3efd60517ccab20af78ccc9930b9c6febe64ac8527875a7dba4855f13
SSDEEP

6144:/Ya63rGGg+kn/BQ4jnZdFmW5l+i2LELjlXSaqQpkVGD:/Y9inn5Q4jZdFmW5l+i2Y//qQa2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1776	cscript.exe
13	1776	cscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	cvgev.exe
592	cvgev.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	cvgev.exe

Loads dropped DLL 3 IoCs

pid	Process
1404	some one.exe
1588	cvgev.exe
1776	cscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 592	1588	cvgev.exe	27
PID 592 set thread context of 1412	592	cvgev.exe	21
PID 1776 set thread context of 1412	1776	cscript.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
592	cvgev.exe
592	cvgev.exe
592	cvgev.exe
592	cvgev.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1588	cvgev.exe
592	cvgev.exe
592	cvgev.exe
592	cvgev.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe
1776	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	cvgev.exe
Token: SeDebugPrivilege	1776	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1588	1404	some one.exe	26
PID 1404 wrote to memory of 1588	1404	some one.exe	26
PID 1404 wrote to memory of 1588	1404	some one.exe	26
PID 1404 wrote to memory of 1588	1404	some one.exe	26
PID 1588 wrote to memory of 592	1588	cvgev.exe	27
PID 1588 wrote to memory of 592	1588	cvgev.exe	27
PID 1588 wrote to memory of 592	1588	cvgev.exe	27
PID 1588 wrote to memory of 592	1588	cvgev.exe	27
PID 1588 wrote to memory of 592	1588	cvgev.exe	27
PID 1412 wrote to memory of 1776	1412	Explorer.EXE	28
PID 1412 wrote to memory of 1776	1412	Explorer.EXE	28
PID 1412 wrote to memory of 1776	1412	Explorer.EXE	28
PID 1412 wrote to memory of 1776	1412	Explorer.EXE	28
PID 1776 wrote to memory of 816	1776	cscript.exe	31
PID 1776 wrote to memory of 816	1776	cscript.exe	31
PID 1776 wrote to memory of 816	1776	cscript.exe	31
PID 1776 wrote to memory of 816	1776	cscript.exe	31
PID 1776 wrote to memory of 816	1776	cscript.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\some one.exe
  "C:\Users\Admin\AppData\Local\Temp\some one.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\cvgev.exe
    "C:\Users\Admin\AppData\Local\Temp\cvgev.exe" C:\Users\Admin\AppData\Local\Temp\oprgilry.lzt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\cvgev.exe
      "C:\Users\Admin\AppData\Local\Temp\cvgev.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:592
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cvgev.exe

Filesize
112KB

MD5
1f7006033f9ed58effc0e27bb8c264fd

SHA1
8db5a331bd275c566aa6b1b930088546fb670a9c

SHA256
9153d4cef97c5cd0039491849d1852266d0af49b21b9e6a02ea509da9c9bbdd4

SHA512
60d4c394037e7eba9677a2673ba83e6fd99d9997c3f7fb248d14cbdeef90efa31d480cedc567050b741017d96caab5eb7ce6b2f056d9a2b483ee9d68f3bf6a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvgev.exe

Filesize
112KB

MD5
1f7006033f9ed58effc0e27bb8c264fd

SHA1
8db5a331bd275c566aa6b1b930088546fb670a9c

SHA256
9153d4cef97c5cd0039491849d1852266d0af49b21b9e6a02ea509da9c9bbdd4

SHA512
60d4c394037e7eba9677a2673ba83e6fd99d9997c3f7fb248d14cbdeef90efa31d480cedc567050b741017d96caab5eb7ce6b2f056d9a2b483ee9d68f3bf6a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvgev.exe

Filesize
112KB

MD5
1f7006033f9ed58effc0e27bb8c264fd

SHA1
8db5a331bd275c566aa6b1b930088546fb670a9c

SHA256
9153d4cef97c5cd0039491849d1852266d0af49b21b9e6a02ea509da9c9bbdd4

SHA512
60d4c394037e7eba9677a2673ba83e6fd99d9997c3f7fb248d14cbdeef90efa31d480cedc567050b741017d96caab5eb7ce6b2f056d9a2b483ee9d68f3bf6a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\febkfpujq.x

Filesize
205KB

MD5
fc6ff017f0d9f962b3010a77046aa498

SHA1
6682eb45c1fdb9a99ed0acec8de2338ee9dc00eb

SHA256
b6e134f67c88745dc411ed97bdbbe0353e5b021fb106985429923cac5490b7cc

SHA512
512450c443238a1144e064d6f8ad7b2d735afe06ad203001ec7ad5b79d0f7b1b7eed29bfb5f058849b95cbcb18ba8c458376f6796e08a01053be4450cf992fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\oprgilry.lzt

Filesize
5KB

MD5
2cbfc90f88bd2fb8364dab64489dda88

SHA1
8ed36dbe678411b4c3278076801fe48df44faeb2

SHA256
a9209ad5ca0fe1e3a9d7cdccc027ae2a540e28e6b6183de226a2f7e6a011d280

SHA512
09b9b628a1dc09f6ba7c3f6422d6fab8293636685a18d0301a16be2735e8383950dfd4137f3a28b66593dbe76d70a24ce203d042b0cb155c9f78a6edd9639f16

Download Submit
\Users\Admin\AppData\Local\Temp\cvgev.exe

Filesize
112KB

MD5
1f7006033f9ed58effc0e27bb8c264fd

SHA1
8db5a331bd275c566aa6b1b930088546fb670a9c

SHA256
9153d4cef97c5cd0039491849d1852266d0af49b21b9e6a02ea509da9c9bbdd4

SHA512
60d4c394037e7eba9677a2673ba83e6fd99d9997c3f7fb248d14cbdeef90efa31d480cedc567050b741017d96caab5eb7ce6b2f056d9a2b483ee9d68f3bf6a39

Download Submit
\Users\Admin\AppData\Local\Temp\cvgev.exe

Filesize
112KB

MD5
1f7006033f9ed58effc0e27bb8c264fd

SHA1
8db5a331bd275c566aa6b1b930088546fb670a9c

SHA256
9153d4cef97c5cd0039491849d1852266d0af49b21b9e6a02ea509da9c9bbdd4

SHA512
60d4c394037e7eba9677a2673ba83e6fd99d9997c3f7fb248d14cbdeef90efa31d480cedc567050b741017d96caab5eb7ce6b2f056d9a2b483ee9d68f3bf6a39

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
895KB

MD5
1eb6acf76a15b74b38333af47dc1218d

SHA1
a3fbc817f59b6a8899dc338cc15a75cdd17dfff1

SHA256
a5ef3a78eb333b0e6dca194ea711dcbb036119a788ecfe125f05176fb0fb70a3

SHA512
717931aa928de150abbb70d523c7dbd472bfa6c511ab55e0b50df8d9661d33635156ed7b750285fa383cdd4064f225ea022f0bead3e066ee2beba84ef5731c15

Download Submit
memory/592-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-66-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/592-67-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1404-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1412-74-0x0000000004170000-0x0000000004238000-memory.dmp

Filesize
800KB

Download
memory/1412-68-0x0000000004E30000-0x0000000004F5C000-memory.dmp

Filesize
1.2MB

Download
memory/1412-77-0x0000000004170000-0x0000000004238000-memory.dmp

Filesize
800KB

Download
memory/1776-70-0x0000000000AC0000-0x0000000000AE2000-memory.dmp

Filesize
136KB

Download
memory/1776-73-0x0000000000910000-0x000000000099F000-memory.dmp

Filesize
572KB

Download
memory/1776-72-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1776-76-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1776-71-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing