2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912

General

Target

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
Size

193KB
MD5

cfb761465693bd4511f038d8e468e62e
SHA1

c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86
SHA256

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912
SHA512

2622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

asvyDmo.exe

pid process

4556 asvyDmo.exe

pid	process
4556	asvyDmo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exeasvyDmo.exe

pid	process
1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
4556	asvyDmo.exe
4556	asvyDmo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exeasvyDmo.exe

description	pid	process
Token: SeBackupPrivilege	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
Token: SeBackupPrivilege	4556	asvyDmo.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exenet.exenet.exe

description	pid	process	target process
PID 1604 wrote to memory of 4556	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	asvyDmo.exe
PID 1604 wrote to memory of 4556	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	asvyDmo.exe
PID 1604 wrote to memory of 4556	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	asvyDmo.exe
PID 1604 wrote to memory of 4700	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 1604 wrote to memory of 4700	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 1604 wrote to memory of 4700	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 4700 wrote to memory of 1144	4700	net.exe	net1.exe
PID 4700 wrote to memory of 1144	4700	net.exe	net1.exe
PID 4700 wrote to memory of 1144	4700	net.exe	net1.exe
PID 1604 wrote to memory of 4956	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 1604 wrote to memory of 4956	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 1604 wrote to memory of 4956	1604	2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe	net.exe
PID 4956 wrote to memory of 4012	4956	net.exe	net1.exe
PID 4956 wrote to memory of 4012	4956	net.exe	net1.exe
PID 4956 wrote to memory of 4012	4956	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
"C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe
"C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1144

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe
MD5
cfb761465693bd4511f038d8e468e62e

SHA1
c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86

SHA256
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912

SHA512
2622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe
MD5
cfb761465693bd4511f038d8e468e62e

SHA1
c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86

SHA256
2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912

SHA512
2622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads