Overview

overview

10

Static

static

1

svcshost.exe

windows7-x64

10

svcshost.exe

windows10-2004-x64

10

Resubmissions

12-04-2023 12:13

230412-pdq5jacb34 10

05-02-2023 23:00

230205-2zfl5sef2z 10

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2023 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcshost.exe

  • Size

    493KB

  • MD5

    c15bd704405c47f1cf081cba3ec67d17

  • SHA1

    5c74894ad0228821cef1794cfeb6a989e7ec551a

  • SHA256

    0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e

  • SHA512

    aa00445344d0c8b81ef983f931063ca20cd3510e588e26fcab342b6cb2af894a119c8ba10f9b103bbc16c9d04089b6817a0545ebe6975ce51a5eb03479c3cb7a

  • SSDEEP

    12288:vNoGU5LsJBWYgeWYg955/155/kjDP9XBDZQN/WioxCcjyoUoecWR:lstsJFjDFXFZQNWioxlyoUr3

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt

Ransom Note
Hello, your files were encrypted and are currently unusable. The only way to recover your files is decrypting them with a key that only we have. In order for us to send you the key and the application to decrypt your files, you will have to make a transfer of Bitcoins to an electronic wallet. We leave you here the data to make the bitcoins transfer. Bitcoin wallet: 398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP Transfer the amount of bitcoins equivalent to 200 USD. Your computer ID is: 7725c12a-7257-458e-a47f-7029d9191548 Once you make the transfer of bitcoins, send us the transfer ID and your computer ID to our email: nhands_q647t@pudxe.com When we verify the transfer we will send you your key and the decryption application.
Emails

nhands_q647t@pudxe.com

Wallets

398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP

Signatures

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svcshost.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\system32\cmd.exe
      cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\svcshost.exe"
      2⤵
      • Deletes itself
      PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1488-54-0x0000000000000000-mapping.dmp
    Download