a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429

Analysis

max time kernel
144s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe
Size

903KB
MD5

9b3905c9ee3b8d9c4069d61a2cb1c8da
SHA1

a5e997d59b9dc311294bbafef71bc7cd4e1099c7
SHA256

a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429
SHA512

ebcabb21a9f77a5963f6d4397a6df878405d39f8af56099365d976e77feea92a21b7a7b873e6ada6386de629e1a48dee660dff75c288d145a95e5e6416e14a2a
SSDEEP

24576:TjobElGZVJfcqThqxb3UDfI3OXvFQQxtntsWc+rs:Tj/

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1524	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe
1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1524	1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe	27
PID 1956 wrote to memory of 1524	1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe	27
PID 1956 wrote to memory of 1524	1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe	27
PID 1956 wrote to memory of 1524	1956	a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe	27

C:\Users\Admin\AppData\Local\Temp\a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe
"C:\Users\Admin\AppData\Local\Temp\a7842de9435f8066eda5f7557379e509c6b7fcb888e58c2f6856879a1dedc429.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
619.8MB

MD5
e458dfae1eb42871a40771a0473d756f

SHA1
67fc2d26d9018bc3a468d1f32be94c92f77bb3f6

SHA256
f984c775392856c48f7aa052e5adca8af867cd04a7dfa343e6ab60a42dc36a5f

SHA512
a1db738a6afcf7a807073c8f9133fc7b12f48ceff3d0acb58a7d89b224372029634851ed4008d0b5f4f08ee792448bd0a39efc2947d907c27f84ce8ef9c48a91

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
491.8MB

MD5
a8683add277b92ef210af0a85cc53cf3

SHA1
59935a22630e9c0f79258df55ce6355896d448aa

SHA256
2d21b530a392eaaf00b24db1059f255a3ab6aea12fe617cd61c83ff915b21ee2

SHA512
5261b06d7d040ba6fcea27a15d390862f7bdbb35c7877d20e4b41cb9c15dd4d0fbdbc41af8ee26d6f36aa91390eb0e778f7044b3b77f6a5b98c2a645f513035f

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
344.5MB

MD5
5f99dd03f0db48de4ec548335f565886

SHA1
d64fa7697b0c95e4cc1a403373e4fdde536380ee

SHA256
6285052e9a5daa679c04017af8413409fea71915b3d727133b04034f9164aee5

SHA512
086a96e133f6a2145f76baa436dedcd5ee5c8a36308da7dbeb73c133d7c8b0761b9b1cfdc15cd395b4536cd1614fc8d1f78f2c10167781552142921e60fff1d5

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
658.1MB

MD5
898cb40a4e8222e1d64a2ebefa1c2094

SHA1
ffbe2ce7f88b14969be753708733698e965f8ad3

SHA256
8a51f826936f2deb2d7bd0b25f200cc6f1f489bcfd7b9b33471166347b6b1f3b

SHA512
4542086b666e2fe30cfd49308c62b322d04e5dbb4e3a67fb23cc2e76feea089d4feaa09c90446f1325d9fb531c89ff1807d879740867f971c3fb507d1e8ec772

Download Submit
memory/1524-67-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1524-68-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1524-70-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1524-71-0x0000000000900000-0x00000000009E7000-memory.dmp

Filesize
924KB

Download
memory/1956-56-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1956-54-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1956-55-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1956-65-0x0000000000900000-0x00000000009E7000-memory.dmp

Filesize
924KB

Download
memory/1956-69-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download