Overview

overview

7

Static

static

1

scrbk (Public).exe

windows10-1703-x64

7

Resubmissions

31/03/2023, 17:40

230331-v8w7xscb53 7

31/03/2023, 17:37

230331-v68syadd7y 7

31/03/2023, 17:16

230331-vs8wsadc5x 7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/03/2023, 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scrbk (Public).exe

  • Size

    326KB

  • MD5

    66121894b9232835011679f7cd0165f5

  • SHA1

    6002f8589c16660ef3d0df2b9dd73441561d6d03

  • SHA256

    f5e861fd4008ab582c228cc5f7e059cf0c8ec6b7288b2232f46077ec282960ee

  • SHA512

    35d1d79552fca6fc01e662ba6611d6466d70cdd35f733bbcf1a21556589490ebe355cd855977c6fe3f6a89e02d9c50358e43146d445d8b9128c1d06cc8377522

  • SSDEEP

    3072:aq6+ouCpk2mpcWJ0r+QNTBfK83d8fHKLDKhTLb3lzOzx16IUzYt8:aldk1cWQRNTBCAd8fHKLD4QqN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe
    "C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B90.tmp\6B91.tmp\6B92.bat "C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Users\Admin\AppData\Local\Temp\ss.exe
        ss.exe
        3⤵
        • Executes dropped EXE
        PID:2096
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4340
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.0.1481268292\601862093" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2805cc26-c978-49db-bda0-f540f82fa608} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1748 25c43d18058 gpu
        3⤵
          PID:4428
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.1.97940300\460555626" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d32c6c00-2825-4c34-b1a8-916b538638d5} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2100 25c4290c258 socket
          3⤵
            PID:1968
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.2.340389598\1264605645" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 20974 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c327e00-f8e0-4b7f-8858-3a0627ed1424} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2924 25c468fb558 tab
            3⤵
              PID:428
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.3.394240737\1077489319" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3388 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6472191-7659-40c8-85b6-a0251796e94b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3404 25c452ecd58 tab
              3⤵
                PID:1832
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.4.1127642730\658669889" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e351454-83d5-4db5-86f1-0105890fd69b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3884 25c47d6c758 tab
                3⤵
                  PID:2344
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.5.2031028268\2059166047" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4740 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bc0b1ed-9f78-4395-bbc5-14b53dda322a} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4764 25c48ebee58 tab
                  3⤵
                    PID:4288
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.7.1382802005\652032785" -childID 6 -isForBrowser -prefsHandle 4728 -prefMapHandle 4976 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44abcbd4-edba-435d-b5e1-deaf58bf3826} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4736 25c48ec1258 tab
                    3⤵
                      PID:4856
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.6.2066862558\204274639" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be19206-541b-4f41-8248-af9fa8698dcd} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4976 25c48ebf458 tab
                      3⤵
                        PID:4308
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.8.673582576\702076905" -childID 7 -isForBrowser -prefsHandle 2636 -prefMapHandle 3360 -prefsLen 26904 -prefMapSize 232645 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {710eca7c-0eb7-4c54-9ab5-fd882b2b4a29} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4584 25c48ec5e58 tab
                        3⤵
                          PID:208
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /4
                      1⤵
                      • Drops file in Windows directory
                      • Checks SCSI registry key(s)
                      • Checks processor information in registry
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:4868
                    • C:\Windows\System32\Notepad.exe
                      "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\StopCompare.js
                      1⤵
                      • Opens file in notepad (likely ransom note)
                      PID:3684
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\StopCompare.js"
                      1⤵
                        PID:4172
                      • C:\Windows\system32\mspaint.exe
                        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameExit.bmp"
                        1⤵
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of SetWindowsHookEx
                        PID:2168
                      • \??\c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
                        1⤵
                          PID:2504
                        • C:\Windows\system32\mspaint.exe
                          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameExit.bmp"
                          1⤵
                            PID:376

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            146KB

                            MD5

                            9247c91f98e020412c5d97cde73f8c4a

                            SHA1

                            310b846c68e3002fb8d658c08d238ed722e5b093

                            SHA256

                            d1fa35a27b5000e9d476257c900c2cc628dfc1d8bdda1251525ed69e4eee930f

                            SHA512

                            d3e93fe0520e00650bcdd2af2888395669f6a02210249f8d19cee045f8efc5e36e6b002d6532205c70bed70086e10fcae8a0fc95349abd3ce209c81de5f0b5a4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\6B90.tmp\6B91.tmp\6B92.bat
                            Filesize

                            498B

                            MD5

                            997051b5f0f314af27eb52f258ee1713

                            SHA1

                            6a4a58ee54e9c7bdbc2688effc819acd284d1ed4

                            SHA256

                            f5f74b7f30fae4a6c91680cf405649d535eec2ac29a4e635adb10a4cd2f47c20

                            SHA512

                            0a9cf83c432ba1ce760b3d1afb5e2015da2853c348adf30b7ddbbc0fd1742292c29681ddbcccfb921e3bbb3637a1fd89a175d59606786622660f35a2dcc2e45a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\screenshot.png
                            Filesize

                            422KB

                            MD5

                            334154e5443bcddd185697cd750c5f16

                            SHA1

                            1b16886fe3384b507f010ea881c2dfb45c3aab9d

                            SHA256

                            0d40726d54e719d0343d5d7349ffe2aae0210119826591140d55e849d18b3734

                            SHA512

                            0875a48e4874e7867f0ad234c672eed46c264091f94fab1e612c8879109481b76a4bd6437ce2f5795af58358e3abae1ea0e9c4329e461017090c92ad64357d9b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\ss.exe
                            Filesize

                            157KB

                            MD5

                            3cea618267c4fa15e7a2939924a86b94

                            SHA1

                            d44aab0ab239e01604b62a174c0fcfd7bb3a5e22

                            SHA256

                            03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5

                            SHA512

                            c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            cdb5a91b7898f75f98e448e80b41dba6

                            SHA1

                            c749651f98e32a2320d2e52fd467fd6217660535

                            SHA256

                            ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

                            SHA512

                            b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            cf28cab65f6d94302fb0c5abf0b602a5

                            SHA1

                            aebc709c0b9a1a0f2bc632cf6e429523bf6c777f

                            SHA256

                            83194f058bcaeaebf5382dbbada7a772843e7aff81c4454cdfead851ffeefd72

                            SHA512

                            8dc416b64816cd946c4aa765aeba3850eb98633473abeafbeb239acadbd25bcf16ed5d8f86289dd767a3479e8211992e262de552bfdd5d2804ffac9c3c8f0c14

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            1KB

                            MD5

                            12233c3137846808bea3c0b009c4a754

                            SHA1

                            684b1274f0e38e42f7c34b8924e98e3fc8171c44

                            SHA256

                            f5f29d801e2cee1471a905255e063a08a4aa1b143fa98e2ebd5204bce5303287

                            SHA512

                            cb8156b6dbc8bb32a79e1b0703f3e7582755e534d956f57821e14685433bec05fe5dba888b49c38a5bcf299bbae83520c42105a4cfcbcd201b2650c0c52f5b88

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            52da1dfd2d332db7747b41aeeb44affe

                            SHA1

                            4976876da3e75020785b34ffec0ba6032557d309

                            SHA256

                            d1869cd469726183b4cd85c3d7fb5a97f6466ac10e939c772b0c3f0763864b2b

                            SHA512

                            8fbac1777be44f61dea963e08f1d658ee2179b1353254de877d38ed4d5ff1de7f4f661f221ff224ee859f169766342687ec0691ce1ed63216d9bd0f7ee0fcd0f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\ss.exe
                            Filesize

                            157KB

                            MD5

                            3cea618267c4fa15e7a2939924a86b94

                            SHA1

                            d44aab0ab239e01604b62a174c0fcfd7bb3a5e22

                            SHA256

                            03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5

                            SHA512

                            c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd

                            Download Submit

                          • C:\Windows\Debug\WIA\wiatrace.log
                            Filesize

                            1KB

                            MD5

                            1685184fb8f887a74f77e52104dc9ccb

                            SHA1

                            172bba417524b5012963604b9559e3484fd35020

                            SHA256

                            af126042b92cc7994f9e81c7b8e72a3e84be30fc26431de9e07a5a722550d105

                            SHA512

                            6a266d25a24a0ac77070f6f545c2d2cd8ab6d0642695e725115838645c3666fdae111780812bb549e4df5df335c4dc462af9a9c0c5be451511836c887978732e

                            Download Submit

                          • memory/2096-123-0x0000000000400000-0x0000000000430000-memory.dmp

                            Filesize

                            192KB

                            Download