Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 12:13
Static task
static1
Behavioral task
behavioral1
Sample
svcshost.exe
Resource
win10v2004-20230220-en
General
-
Target
svcshost.exe
-
Size
493KB
-
MD5
c15bd704405c47f1cf081cba3ec67d17
-
SHA1
5c74894ad0228821cef1794cfeb6a989e7ec551a
-
SHA256
0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e
-
SHA512
aa00445344d0c8b81ef983f931063ca20cd3510e588e26fcab342b6cb2af894a119c8ba10f9b103bbc16c9d04089b6817a0545ebe6975ce51a5eb03479c3cb7a
-
SSDEEP
12288:vNoGU5LsJBWYgeWYg955/155/kjDP9XBDZQN/WioxCcjyoUoecWR:lstsJFjDFXFZQNWioxlyoUr3
Malware Config
Extracted
C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt
nhands_q647t@pudxe.com
398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP
Signatures
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svcshost.exedescription ioc process File created C:\Users\Admin\Pictures\ApproveImport.png.encrp svcshost.exe File created C:\Users\Admin\Pictures\RegisterMove.png.encrp svcshost.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4832 NOTEPAD.EXE 3712 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2584 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2584 vlc.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
vlc.exeNOTEPAD.EXEpid process 2584 vlc.exe 2584 vlc.exe 2584 vlc.exe 2584 vlc.exe 3712 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vlc.exepid process 2584 vlc.exe 2584 vlc.exe 2584 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2584 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
svcshost.exedescription pid process target process PID 1468 wrote to memory of 3224 1468 svcshost.exe cmd.exe PID 1468 wrote to memory of 3224 1468 svcshost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svcshost.exe"C:\Users\Admin\AppData\Local\Temp\svcshost.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\svcshost.exe"2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchJoin.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompressApprove.AAC"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditUnpublish.cmd" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditUnpublish.cmd" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EditUnpublish.cmd1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txtFilesize
739B
MD5f1fbb5c5b6557a1a03d5c29bd15d018e
SHA127c4003c5b9f53c98ae0cd5f81283689543ee7d5
SHA2567b9d26f4dc417eff37bd590c17b9a1c2baaa43b86ae24c0dea39c207cc0ca21d
SHA5121c89d9bd26b6bb4780aeed3ecdfc6881c453d43daadfcaab8f2542888f44bd8675457a7cb790168e5fd6a0914ca382712f51c1492ac9a660a148b53c67aba3f9
-
memory/2584-207-0x00007FFE305C0000-0x00007FFE305F4000-memory.dmpFilesize
208KB
-
memory/2584-206-0x00007FF639D30000-0x00007FF639E28000-memory.dmpFilesize
992KB
-
memory/2584-208-0x00007FFE30300000-0x00007FFE305B4000-memory.dmpFilesize
2.7MB
-
memory/2584-209-0x00007FFE2EF40000-0x00007FFE2FFEB000-memory.dmpFilesize
16.7MB