Overview
overview
10Static
static
10757e3242f6...b4.exe
windows7-x64
9757e3242f6...b4.exe
windows10-2004-x64
976fe72e0ec...ss.exe
windows7-x64
776fe72e0ec...ss.exe
windows10-2004-x64
1078d4cf8df6...B3.exe
windows7-x64
778d4cf8df6...B3.exe
windows10-2004-x64
1078d4cf8df6...59.exe
windows7-x64
778d4cf8df6...59.exe
windows10-2004-x64
378db508226...69.exe
windows7-x64
978db508226...69.exe
windows10-2004-x64
97965f6adf3...ss.exe
windows7-x64
77965f6adf3...ss.exe
windows10-2004-x64
77B75B33BCF...B5.exe
windows7-x64
17B75B33BCF...B5.exe
windows10-2004-x64
17E3903944E...72.exe
windows7-x64
77E3903944E...72.exe
windows10-2004-x64
57dd9312307...ca.dll
windows7-x64
37dd9312307...ca.dll
windows10-2004-x64
37e4c9a7e39...1f.exe
windows7-x64
97e4c9a7e39...1f.exe
windows10-2004-x64
780eb72d781...B3.exe
windows7-x64
780eb72d781...B3.exe
windows10-2004-x64
1080eb72d781...9A.exe
windows7-x64
780eb72d781...9A.exe
windows10-2004-x64
3845263c869...c8.exe
windows7-x64
9845263c869...c8.exe
windows10-2004-x64
98524224187...8f.exe
windows7-x64
68524224187...8f.exe
windows10-2004-x64
686be3831f5...39.exe
windows7-x64
686be3831f5...39.exe
windows10-2004-x64
68791931bac...DA.exe
windows7-x64
78791931bac...DA.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 09:21
Behavioral task
behavioral1
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win10v2004-20241007-en
General
-
Target
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
-
Size
865KB
-
MD5
dbf3707a9cd090853a11dda9cfa78ff0
-
SHA1
5af5403d8e003812a34c7b085d878680d7130ad5
-
SHA256
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669
-
SHA512
68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0
-
SSDEEP
12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl
Malware Config
Signatures
-
Renames multiple (340) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe -
Executes dropped EXE 1 IoCs
pid Process 4024 scvhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\scvhost.exe" scvhost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: scvhost.exe File opened (read-only) \??\k: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\o: scvhost.exe File opened (read-only) \??\q: scvhost.exe File opened (read-only) \??\y: scvhost.exe File opened (read-only) \??\e: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\j: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\z: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\t: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\v: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\x: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\t: scvhost.exe File opened (read-only) \??\b: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\g: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\p: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\u: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\m: scvhost.exe File opened (read-only) \??\n: scvhost.exe File opened (read-only) \??\u: scvhost.exe File opened (read-only) \??\z: scvhost.exe File opened (read-only) \??\h: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\i: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\s: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\b: scvhost.exe File opened (read-only) \??\s: scvhost.exe File opened (read-only) \??\m: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\r: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\a: scvhost.exe File opened (read-only) \??\p: scvhost.exe File opened (read-only) \??\v: scvhost.exe File opened (read-only) \??\a: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\i: scvhost.exe File opened (read-only) \??\l: scvhost.exe File opened (read-only) \??\e: scvhost.exe File opened (read-only) \??\g: scvhost.exe File opened (read-only) \??\h: scvhost.exe File opened (read-only) \??\k: scvhost.exe File opened (read-only) \??\w: scvhost.exe File opened (read-only) \??\l: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\n: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\w: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\j: scvhost.exe File opened (read-only) \??\x: scvhost.exe File opened (read-only) \??\o: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\q: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe File opened (read-only) \??\y: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral10/files/0x000d000000023b8b-11.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scvhost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4024 scvhost.exe 4024 scvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4024 scvhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1484 wrote to memory of 4024 1484 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe 83 PID 1484 wrote to memory of 4024 1484 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe 83 PID 1484 wrote to memory of 4024 1484 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe"C:\Users\Admin\AppData\Local\Temp\78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\scvhost.exe"C:\Users\Admin\AppData\Roaming\scvhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658826891613.txt.locked
Filesize77KB
MD5e130744887a8b60505f8d55a21f6e40a
SHA1f86fa40fe462a9d7857e6e5cecf380f381790f81
SHA25637a2dc8593ea862a9d512f4f46d13cf2f417a8ac45bca14baf6136eb67250afa
SHA512c6ef49d52a4d02815c8dba1bb640b49b36ae9ab464ad9eed746020c743afbda7d772e47cb53c0f842b3b10991ce6c88400d9089a40e3807949d4112cb8189f70
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt.locked
Filesize47KB
MD5ea2352483516014d022413504a74c72d
SHA16aa1aae252345cc6f03ab658cbbdf130357ea6e0
SHA256edfadb0405fbfd1da0861e76511142a4d50604ebb72006ea21fface3c2977c79
SHA5129f5296a11836733d084dd89283d8de063f3d0a598b826d2e34dc36bce1ae3c0ce9b3f75d7c1ad3aea384a6e9840f45e746a18892f3466785cf1875d825f9dfbd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666145703406.txt.locked
Filesize65KB
MD51bfc3cb82b5351b01836fe75f0d0845f
SHA1d0dfaf96fda7a95289e96502f8c324cdfda6badd
SHA256d3b85bf0aaf23d910491caccbefb949b3d35429ad55212919a9284258fd1406d
SHA5127346162a717cd2405303fa9744ac7b7fe13fbb29fcf8f5d89d476057c79133daffb40ae7a3f89f6f29d0a00a95eae7b0e3dba1795ffe2dccdf64e2387b1ab695
-
Filesize
26KB
MD5daa74c9be0ea2bcbf174c3398e98dbfb
SHA1e5a23e3853fdcf2fab54d6a708091086a0370282
SHA2564c37593255835b87267a97e401eb97a177f9ee96fd8edb83b7df4e539d2f26ac
SHA5126b3ccf7a0ce3a68bf0f7e8823e9129baa10c26b56d698a079564bc2c8a1ca60ecae7ae9b24f3b592f53a07f2b3128f0520e3a02c408e8d927c24ff720ac28d9c
-
Filesize
4KB
MD59c819cdb7bdfe050c8d22a0d7ce68df2
SHA1a73124bfbf34b1448f92d00f305025f3ad93c56d
SHA256ec942dae0505de28a0b6102b6422f6b37c78fc727f402af9096ccc265e9cde7c
SHA512e6bbb80e0a9ad31ae49a8af6c46c462d76322bd2388d053d6f470d706a9a574828f480d7c4c35b15eefb1e383ebf1150d9d07621e224d49675890b35cdf8ed36
-
Filesize
55B
MD5d8b961c8432a069dc3f743b33b1a8983
SHA1bd0f181c12879b562c496c5c3f1760d335061564
SHA256ad144641e38eb701a569b7889e1bf5e080375a7bc4e21ff2ad35d3e352d924f6
SHA5127d8ec6db750f0a6a2db861e98e4b5a23a67bf15b1f05435f06935b2e0871dd4743b454b7350c8b0e37366ea78b53147f98fb2f64b7cc9d868076531bce49badd
-
Filesize
865KB
MD5dbf3707a9cd090853a11dda9cfa78ff0
SHA15af5403d8e003812a34c7b085d878680d7130ad5
SHA25678db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669
SHA51268b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0