Resubmissions

31/03/2023, 17:40

230331-v8w7xscb53 7

31/03/2023, 17:37

230331-v68syadd7y 7

31/03/2023, 17:16

230331-vs8wsadc5x 7

Analysis

  • max time kernel
    117s
  • max time network
    170s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/03/2023, 17:16

General

  • Target

    scrbk (Public).exe

  • Size

    326KB

  • MD5

    66121894b9232835011679f7cd0165f5

  • SHA1

    6002f8589c16660ef3d0df2b9dd73441561d6d03

  • SHA256

    f5e861fd4008ab582c228cc5f7e059cf0c8ec6b7288b2232f46077ec282960ee

  • SHA512

    35d1d79552fca6fc01e662ba6611d6466d70cdd35f733bbcf1a21556589490ebe355cd855977c6fe3f6a89e02d9c50358e43146d445d8b9128c1d06cc8377522

  • SSDEEP

    3072:aq6+ouCpk2mpcWJ0r+QNTBfK83d8fHKLDKhTLb3lzOzx16IUzYt8:aldk1cWQRNTBCAd8fHKLD4QqN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe
    "C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FB8.tmp\4017.tmp\4018.bat "C:\Users\Admin\AppData\Local\Temp\scrbk (Public).exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\ss.exe
        ss.exe
        3⤵
        • Executes dropped EXE
        PID:1216
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1928
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SetMove.gif
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3832

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          bdbbd793778777706223b00a4ea24ed0

          SHA1

          bf09527cebe8906bfe6aa1e885bc9fb1b3ec54e4

          SHA256

          8b1034038298faf34d3f580c1ded7212f40d146de7e62cff20826c8b53f80c36

          SHA512

          7397d981e28bee91dd0e08c3a38444d8524204118548e8db810f5a277cbb08c20a64350063cf36ee4a943edba249f1d0ed350d4cfbc0671461cf27c2534c1f13

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          434B

          MD5

          c8a1d6a5fdd825ebf93f5e8587398c5c

          SHA1

          ad2a0655784b1b10f4ec70a404faf422826a083f

          SHA256

          777dd64bace3ea5e1ffdb6d9670a51a263e7b60b1851e2cadd0fbefa7a37029e

          SHA512

          07e40f5b790c01244ed94cc53ea5ccae5efd1f32f2f084e870e9e9cc42be781f7a96fa288a229254fa95ab2ff86942cb3473e74e32c24eb94fb97af2fe5cf4d9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

          Filesize

          4KB

          MD5

          da597791be3b6e732f0bc8b20e38ee62

          SHA1

          1125c45d285c360542027d7554a5c442288974de

          SHA256

          5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

          SHA512

          d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OWO8QGKA.cookie

          Filesize

          611B

          MD5

          458ae1906ea7a6c63e0566bcf976a1bb

          SHA1

          f82b6948f2541e99db9ab9f2beb1764c433db987

          SHA256

          6204798956cd60accf8d135f3e6a0ec1b3052487941abbd0e884919958c9b51f

          SHA512

          24c49fa2cd7e007a67bad7ce2a4aa68cc9c1ad2f1afb250a0023ce41e99599ec2a062dbba922eb9a36358a32376d855f7fa624da6594f20e47e3ee7595c8dca4

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P1UD55V9.cookie

          Filesize

          244B

          MD5

          bd12692c900cdbf760e0ec8118821142

          SHA1

          14048c1e98093fa1aea1e1eaa93b0243eae268d6

          SHA256

          3c5e254a95a4e6c7a0d46871bb7cefc75f885fd4e3fed92a330d78a497458ad2

          SHA512

          93f7f151ee34f0ba3d098f17ce020fad97226f486b294e9e08412602dd8b6fdbc6c7968648a147c64f9ebd8e36baf222ef6fcd3db8196dcd21b079df57fbbfec

        • C:\Users\Admin\AppData\Local\Temp\3FB8.tmp\4017.tmp\4018.bat

          Filesize

          498B

          MD5

          997051b5f0f314af27eb52f258ee1713

          SHA1

          6a4a58ee54e9c7bdbc2688effc819acd284d1ed4

          SHA256

          f5f74b7f30fae4a6c91680cf405649d535eec2ac29a4e635adb10a4cd2f47c20

          SHA512

          0a9cf83c432ba1ce760b3d1afb5e2015da2853c348adf30b7ddbbc0fd1742292c29681ddbcccfb921e3bbb3637a1fd89a175d59606786622660f35a2dcc2e45a

        • C:\Users\Admin\AppData\Local\Temp\Kno9C5F.tmp

          Filesize

          88KB

          MD5

          002d5646771d31d1e7c57990cc020150

          SHA1

          a28ec731f9106c252f313cca349a68ef94ee3de9

          SHA256

          1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

          SHA512

          689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

        • C:\Users\Admin\AppData\Local\Temp\screenshot.png

          Filesize

          29KB

          MD5

          b4057d7bab6d4745a0a64ec91f394bed

          SHA1

          e02f93726bb0ba80f2adb748073be07e6b95cee6

          SHA256

          238630577fbb8df7d3aacc7e27ad4127559bde199e42faa6fd3b7b811c015d0c

          SHA512

          66fb66fd0a6ba920c7add1609f4ec7470246221177d3ac46547e13a742d3565ab695cd72b62c2ea2107a8e3108cbd57ac0ff43a7ab215d6d3755074fb093bdeb

        • C:\Users\Admin\AppData\Local\Temp\ss.exe

          Filesize

          157KB

          MD5

          3cea618267c4fa15e7a2939924a86b94

          SHA1

          d44aab0ab239e01604b62a174c0fcfd7bb3a5e22

          SHA256

          03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5

          SHA512

          c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd

        • C:\Users\Admin\AppData\Roaming\ss.exe

          Filesize

          157KB

          MD5

          3cea618267c4fa15e7a2939924a86b94

          SHA1

          d44aab0ab239e01604b62a174c0fcfd7bb3a5e22

          SHA256

          03f3603039aabe4fcd2f1b5bdd1dc0d8d423ce4defe4d213e3b5fb4fe94655b5

          SHA512

          c16ede67be25c2a3c9c7a668a50681760fcdca9b470f8ff018a1bb6abc1d6ff5cf9b2e630bbc8d896465717b9eb564b4af82ebfd5b8028780e9807dda43c22cd

        • memory/1216-128-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB