610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0

General

Target

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
Size

281KB
MD5

45eb7b4ef35da0d16a5536cdaa9c7799
SHA1

0a874599297d2aa5ae66643fd2fcc2cc3a533a12
SHA256

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0
SHA512

39c9efd66075046cd97d4a56e648426a5c1ff0278eefc04aa12c17518b7bd323fff92fb47d2915cfbc05583029dbbe37e5c58a5679c2b890f18c5d4ecfdc096c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kvzmznkwrn.exe

pid process

1448 kvzmznkwrn.exe

pid	process
1448	kvzmznkwrn.exe

Loads dropped DLL 3 IoCs

Processes:

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exekvzmznkwrn.exe

pid	process
1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
1448	kvzmznkwrn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exekvzmznkwrn.exe

description	pid	process	target process
PID 1364 wrote to memory of 1448	1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 1364 wrote to memory of 1448	1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 1364 wrote to memory of 1448	1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 1364 wrote to memory of 1448	1364	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 1448 wrote to memory of 1720	1448	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 1448 wrote to memory of 1720	1448	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 1448 wrote to memory of 1720	1448	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 1448 wrote to memory of 1720	1448	kvzmznkwrn.exe	kvzmznkwrn.exe

C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
"C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
3⤵
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
Filesize
5KB

MD5
df54e923813902f353c2ccc8d89e5e97

SHA1
fba331d592bbf07a4320506f76d73c835ef573fa

SHA256
1d0f324a41cfbf8d29d1f91401c58f1283ac4209419dec4d0dfd2ddd0bb718f1

SHA512
c097e478e386a666f8ff322e437c3bab24399c1dab373708867c7600be9209add688d85752393639ff5500c67eef19580cafaa108e4bfbb066ae9717335a38ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\snpdt7niup2cx7xuu
Filesize
103KB

MD5
4e7bfc3bd7bb656eab1d23d27854861e

SHA1
564e95e844719d7d9b6c865a9091cbc950c8ae09

SHA256
7eb949429704877f655fc47d164223aa96f791377f200eee42402d4dd4b9c0aa

SHA512
f253033d221f0f42236514d02253aed87125d8005bae8f46e3144c7d5c00124a4bf97404b5313bbfe266664c683537d7ba33e6af6b60df164610bae1b32bef2c

Download Submit
\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
memory/1364-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1448-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing