42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9

General

Target

42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
Size

1.7MB
MD5

88df9e0cba3222e4317238d6e25ff148
SHA1

0f39b4e5ff8954c09d4697009fbd4054f7927b64
SHA256

42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9
SHA512

5e2cd3644c5b13b924d8f24c3b8d9154bc70bdd475260606d9e2bb30230c96b5398b550b9f1085d8299ef9dfaf58890071207138aeb6a51f03c6a7599e4931f7
SSDEEP

24576:/i7RWmsRHzvDlZ9mUXbWGDXLbANwJ7VOgne:/igHzblKUXbP2gne

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
276	Volverine_v.2.2.exe
696	gcewifi.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Windows\\Wincft.exe"	gcewifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gcewifi.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Social Network\epi\Volverine_v.2.2.exe	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
File created	C:\Program Files\Social Network\epi\tavpfhr.jpeg	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
File created	C:\Program Files\Social Network\epi\gcewifi.exe	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
File opened for modification	C:\Program Files\Social Network\epi\tavpfhr.jpeg	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Wincft.exe	gcewifi.exe
File opened for modification	C:\Windows\Wincft.exe	gcewifi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 276	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	27
PID 1492 wrote to memory of 276	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	27
PID 1492 wrote to memory of 276	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	27
PID 1492 wrote to memory of 276	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	27
PID 1492 wrote to memory of 696	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	28
PID 1492 wrote to memory of 696	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	28
PID 1492 wrote to memory of 696	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	28
PID 1492 wrote to memory of 696	1492	42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe	28

C:\Users\Admin\AppData\Local\Temp\42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe
"C:\Users\Admin\AppData\Local\Temp\42a453dda8078879134f3d475964027ac08478947c3989fed0ea77abd4c2fec9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files\Social Network\epi\Volverine_v.2.2.exe
  "C:\Program Files\Social Network\epi\Volverine_v.2.2.exe" NULL
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Program Files\Social Network\epi\gcewifi.exe
  "C:\Program Files\Social Network\epi\gcewifi.exe" NULL
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Social Network\epi\Volverine_v.2.2.exe

Filesize
425KB

MD5
64d5cf865fa1cf0f956d636f4ea0ed27

SHA1
01e2a69e45ace2f374102acb356afd577bdf920e

SHA256
80b202981e885f74022a94c0f36c3e7aba3a8f9ae4d6b450e63f716296cbdec3

SHA512
ad1ffb392b1a3721b0deac4ca8398e28b28af6c8a7c5d741ffcbecb7a53ae8c57f1a8f8f851805dbce03e4116dbd0ba935ffd0564db4a25607af4845768eaf7b

Download Submit
C:\Program Files\Social Network\epi\gcewifi.exe

Filesize
564KB

MD5
169fb97f8d32ce28bdcd8661a98a158a

SHA1
7f642b3fb742f1de8bdb3b22e95e6162b6852a25

SHA256
d3d77ea4760db80678425f00f6499ad550fc37cb96d7c4f6c62857fe8f125e8d

SHA512
9b4491abe957eae7ddd5a172f215ed46d5290b01618774eb314f657fb053d9b1ed7acabde0b020d17e4e50efe8e6aeed3217dfab9d3a76325af90bc1a345fa97

Download Submit
C:\Program Files\Social Network\epi\gcewifi.exe

Filesize
564KB

MD5
169fb97f8d32ce28bdcd8661a98a158a

SHA1
7f642b3fb742f1de8bdb3b22e95e6162b6852a25

SHA256
d3d77ea4760db80678425f00f6499ad550fc37cb96d7c4f6c62857fe8f125e8d

SHA512
9b4491abe957eae7ddd5a172f215ed46d5290b01618774eb314f657fb053d9b1ed7acabde0b020d17e4e50efe8e6aeed3217dfab9d3a76325af90bc1a345fa97

Download Submit
\Program Files\Social Network\epi\Volverine_v.2.2.exe

Filesize
425KB

MD5
64d5cf865fa1cf0f956d636f4ea0ed27

SHA1
01e2a69e45ace2f374102acb356afd577bdf920e

SHA256
80b202981e885f74022a94c0f36c3e7aba3a8f9ae4d6b450e63f716296cbdec3

SHA512
ad1ffb392b1a3721b0deac4ca8398e28b28af6c8a7c5d741ffcbecb7a53ae8c57f1a8f8f851805dbce03e4116dbd0ba935ffd0564db4a25607af4845768eaf7b

Download Submit
\Program Files\Social Network\epi\Volverine_v.2.2.exe

Filesize
425KB

MD5
64d5cf865fa1cf0f956d636f4ea0ed27

SHA1
01e2a69e45ace2f374102acb356afd577bdf920e

SHA256
80b202981e885f74022a94c0f36c3e7aba3a8f9ae4d6b450e63f716296cbdec3

SHA512
ad1ffb392b1a3721b0deac4ca8398e28b28af6c8a7c5d741ffcbecb7a53ae8c57f1a8f8f851805dbce03e4116dbd0ba935ffd0564db4a25607af4845768eaf7b

Download Submit
\Program Files\Social Network\epi\gcewifi.exe

Filesize
564KB

MD5
169fb97f8d32ce28bdcd8661a98a158a

SHA1
7f642b3fb742f1de8bdb3b22e95e6162b6852a25

SHA256
d3d77ea4760db80678425f00f6499ad550fc37cb96d7c4f6c62857fe8f125e8d

SHA512
9b4491abe957eae7ddd5a172f215ed46d5290b01618774eb314f657fb053d9b1ed7acabde0b020d17e4e50efe8e6aeed3217dfab9d3a76325af90bc1a345fa97

Download Submit
\Program Files\Social Network\epi\gcewifi.exe

Filesize
564KB

MD5
169fb97f8d32ce28bdcd8661a98a158a

SHA1
7f642b3fb742f1de8bdb3b22e95e6162b6852a25

SHA256
d3d77ea4760db80678425f00f6499ad550fc37cb96d7c4f6c62857fe8f125e8d

SHA512
9b4491abe957eae7ddd5a172f215ed46d5290b01618774eb314f657fb053d9b1ed7acabde0b020d17e4e50efe8e6aeed3217dfab9d3a76325af90bc1a345fa97

Download Submit
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing