Overview
overview
10Static
static
10VSNKLGuzoF...2).exe
windows7-x64
3VSNKLGuzoF...5w.exe
windows7-x64
3VideoCodeCX.exe
windows7-x64
10WcsPlugInS...ex.exe
windows7-x64
5WinLocker Builder.exe
windows7-x64
5WinLocker_Builder.exe
windows7-x64
5_003E0000.exe.vir.exe
windows7-x64
9vmem02.exe
windows7-x64
3w8i9eHkHOwWwQlX.exe
windows7-x64
3wpbt0.exe
windows7-x64
10xpiofrbtkzhr.exe
windows7-x64
xxx_video (2).exe
windows7-x64
7xxx_video.exe
windows7-x64
5xxx_video_...vi.exe
windows7-x64
10xxx_video_...ir.exe
windows7-x64
10xxx_video_...ir.exe
windows7-x64
10xxx_video_...ir.exe
windows7-x64
10xxx_video_...vi.exe
windows7-x64
10xxx_video_...ir.exe
windows7-x64
10zcrypt.exe
windows7-x64
7{71257279-...a}.exe
windows7-x64
10Analysis
-
max time kernel
271s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:41
Behavioral task
behavioral1
Sample
VSNKLGuzoFJgFHyEI15w (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
VSNKLGuzoFJgFHyEI15w.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
VideoCodeCX.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
WcsPlugInService.ex.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
WinLocker Builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
WinLocker_Builder.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
_003E0000.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
vmem02.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
w8i9eHkHOwWwQlX.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
wpbt0.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
xpiofrbtkzhr.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
xxx_video (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
xxx_video.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
xxx_video_26726.avi.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
xxx_video_35942.avi.exe.vir.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
xxx_video_35942.avi_unpacked_.exe.vir.exe
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
xxx_video_73240.avi____.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
xxx_video_77498.avi.exe
Resource
win7-20241010-en
Behavioral task
behavioral19
Sample
xxx_video_87279.avi.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
zcrypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
Resource
win7-20240903-en
General
-
Target
_003E0000.exe.vir.exe
-
Size
116KB
-
MD5
f57d188c4667fab46208396af20badd2
-
SHA1
367ea268c494d17672ef371adebef0f505c1a804
-
SHA256
878304de96556ed340f190a9d8b5650dc71512eed4210676560fc41e7ac4857c
-
SHA512
157615951ccf90c69aaa4e4e1e1f664ffcb6c5817371143ac5bc2dfac04185e57981d50194ad4a1784c29f16211b6a18e9fa085721d05e29ba63377e40dc41a2
-
SSDEEP
3072:SsB0ura/QOVLLkeyYP1RNDZyuubclhZUnr:Sef7wkey21flyu8+i
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c12c0c1.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c = "C:\\c12c0c1\\c12c0c1.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c = "C:\\c12c0c1\\c12c0c1.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
_003E0000.exe.vir.exeexplorer.exesvchost.exevssadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _003E0000.exe.vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2964 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
explorer.exepid process 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
_003E0000.exe.vir.exeexplorer.exepid process 2968 _003E0000.exe.vir.exe 2848 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2732 vssvc.exe Token: SeRestorePrivilege 2732 vssvc.exe Token: SeAuditPrivilege 2732 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
_003E0000.exe.vir.exeexplorer.exedescription pid process target process PID 2968 wrote to memory of 2848 2968 _003E0000.exe.vir.exe explorer.exe PID 2968 wrote to memory of 2848 2968 _003E0000.exe.vir.exe explorer.exe PID 2968 wrote to memory of 2848 2968 _003E0000.exe.vir.exe explorer.exe PID 2968 wrote to memory of 2848 2968 _003E0000.exe.vir.exe explorer.exe PID 2848 wrote to memory of 2576 2848 explorer.exe svchost.exe PID 2848 wrote to memory of 2576 2848 explorer.exe svchost.exe PID 2848 wrote to memory of 2576 2848 explorer.exe svchost.exe PID 2848 wrote to memory of 2576 2848 explorer.exe svchost.exe PID 2848 wrote to memory of 2964 2848 explorer.exe vssadmin.exe PID 2848 wrote to memory of 2964 2848 explorer.exe vssadmin.exe PID 2848 wrote to memory of 2964 2848 explorer.exe vssadmin.exe PID 2848 wrote to memory of 2964 2848 explorer.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2964
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732