Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 23:00
Static task
static1
Behavioral task
behavioral1
Sample
svcshost.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
svcshost.exe
Resource
win10v2004-20221111-en
General
-
Target
svcshost.exe
-
Size
493KB
-
MD5
c15bd704405c47f1cf081cba3ec67d17
-
SHA1
5c74894ad0228821cef1794cfeb6a989e7ec551a
-
SHA256
0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e
-
SHA512
aa00445344d0c8b81ef983f931063ca20cd3510e588e26fcab342b6cb2af894a119c8ba10f9b103bbc16c9d04089b6817a0545ebe6975ce51a5eb03479c3cb7a
-
SSDEEP
12288:vNoGU5LsJBWYgeWYg955/155/kjDP9XBDZQN/WioxCcjyoUoecWR:lstsJFjDFXFZQNWioxlyoUr3
Malware Config
Extracted
C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt
nhands_q647t@pudxe.com
398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP
Signatures
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svcshost.exedescription ioc process File created C:\Users\Admin\Pictures\MoveRepair.png.encrp svcshost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1488 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svcshost.exedescription pid process target process PID 856 wrote to memory of 1488 856 svcshost.exe cmd.exe PID 856 wrote to memory of 1488 856 svcshost.exe cmd.exe PID 856 wrote to memory of 1488 856 svcshost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svcshost.exe"C:\Users\Admin\AppData\Local\Temp\svcshost.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\svcshost.exe"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-54-0x0000000000000000-mapping.dmp