02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43

General

Target

02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
Size

2.1MB
MD5

c53bc2e1dbc91fa353fff5671a9af5f2
SHA1

f3871a15fc5513622bb9a7c716811095d86c798a
SHA256

02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43
SHA512

7430021cf666533a3525df6b4d201fa99c0565a972d0b36b8357732cca23249374c5faa33e4519735dfe23dd4fff528f9d647100329206b14bc06cbb5673a7e5
SSDEEP

49152:r8GntthMrDaKGUMrAJJyGHDZOshZRg4bUTj5roB:Nt0rWuMsJJOMgg+5ri

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\mhyvxz.SYS	1188.exe

Executes dropped EXE 1 IoCs

pid	Process
804	1188.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\cppscn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mhyvxz.fdf"	1188.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cppscn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mhyvxz.fdf"	1188.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\cppscn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mhyvxz.fdf"	1188.exe

Loads dropped DLL 4 IoCs

pid	Process
1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
804	1188.exe
1496	SVCHOST.EXE

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_7075503	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
File created	C:\WINDOWS\SysWOW64\88.mpg	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
File opened for modification	C:\WINDOWS\SysWOW64\88.mpg	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
File created	C:\WINDOWS\SysWOW64\1188.exe	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
File opened for modification	C:\WINDOWS\SysWOW64\1188.exe	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
File created	C:\Windows\SysWOW64\041497.imi	1188.exe
File created	C:\Windows\SysWOW64\mhyvxz.fdf	1188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1496	SVCHOST.EXE
1496	SVCHOST.EXE
1496	SVCHOST.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 804	1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe	28
PID 1280 wrote to memory of 804	1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe	28
PID 1280 wrote to memory of 804	1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe	28
PID 1280 wrote to memory of 804	1280	02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe	28

C:\Users\Admin\AppData\Local\Temp\02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe
"C:\Users\Admin\AppData\Local\Temp\02677edff4d9608b6b445362194ea931124a2ce469287357fb8087364edaeb43.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280
- C:\WINDOWS\SysWOW64\1188.exe
  "C:\WINDOWS\system32\1188.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:804

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -k cppscn
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\1188.exe

Filesize
64KB

MD5
ba9e5383a9d9499c4803eeccaf45f6e8

SHA1
fcb7a394bc66ed6e9eb5008a7250e50a83e8d37f

SHA256
41cccc7b24bb8d64c60a7b65e164036ebbc9bd52c94f7d060eeba991cbd28c18

SHA512
f152376a39b49cac7f2ab7d3291451da0638e05c564da0be93b7da67652010700987d88e8d5f4fcdc24c817360199dd2039817e8666c09992c3ef16519e041c7

Download Submit
C:\Windows\SysWOW64\1188.exe

Filesize
64KB

MD5
ba9e5383a9d9499c4803eeccaf45f6e8

SHA1
fcb7a394bc66ed6e9eb5008a7250e50a83e8d37f

SHA256
41cccc7b24bb8d64c60a7b65e164036ebbc9bd52c94f7d060eeba991cbd28c18

SHA512
f152376a39b49cac7f2ab7d3291451da0638e05c564da0be93b7da67652010700987d88e8d5f4fcdc24c817360199dd2039817e8666c09992c3ef16519e041c7

Download Submit
\??\c:\windows\SysWOW64\mhyvxz.fdf

Filesize
93KB

MD5
7a37827fa8bea3cf5f846392f2c07f24

SHA1
5260e79b357ca318a46197983fb35a000e5795e5

SHA256
54da2ac1eb37d31a7287af3dc9e602372b1a1c33a430261fa4efa0572d027f78

SHA512
bc914159f0152d80961a35898927e2dc9e98ffde987c518aa8ea64f6201784d7c70e9ff604a61094b5d1938cfb2f75279ec6b6eeade379ab602036ef0068af67

Download Submit
\Windows\SysWOW64\1188.exe

Filesize
64KB

MD5
ba9e5383a9d9499c4803eeccaf45f6e8

SHA1
fcb7a394bc66ed6e9eb5008a7250e50a83e8d37f

SHA256
41cccc7b24bb8d64c60a7b65e164036ebbc9bd52c94f7d060eeba991cbd28c18

SHA512
f152376a39b49cac7f2ab7d3291451da0638e05c564da0be93b7da67652010700987d88e8d5f4fcdc24c817360199dd2039817e8666c09992c3ef16519e041c7

Download Submit
\Windows\SysWOW64\1188.exe

Filesize
64KB

MD5
ba9e5383a9d9499c4803eeccaf45f6e8

SHA1
fcb7a394bc66ed6e9eb5008a7250e50a83e8d37f

SHA256
41cccc7b24bb8d64c60a7b65e164036ebbc9bd52c94f7d060eeba991cbd28c18

SHA512
f152376a39b49cac7f2ab7d3291451da0638e05c564da0be93b7da67652010700987d88e8d5f4fcdc24c817360199dd2039817e8666c09992c3ef16519e041c7

Download Submit
\Windows\SysWOW64\mhyvxz.fdf

Filesize
93KB

MD5
7a37827fa8bea3cf5f846392f2c07f24

SHA1
5260e79b357ca318a46197983fb35a000e5795e5

SHA256
54da2ac1eb37d31a7287af3dc9e602372b1a1c33a430261fa4efa0572d027f78

SHA512
bc914159f0152d80961a35898927e2dc9e98ffde987c518aa8ea64f6201784d7c70e9ff604a61094b5d1938cfb2f75279ec6b6eeade379ab602036ef0068af67

Download Submit
\Windows\SysWOW64\mhyvxz.fdf

Filesize
93KB

MD5
7a37827fa8bea3cf5f846392f2c07f24

SHA1
5260e79b357ca318a46197983fb35a000e5795e5

SHA256
54da2ac1eb37d31a7287af3dc9e602372b1a1c33a430261fa4efa0572d027f78

SHA512
bc914159f0152d80961a35898927e2dc9e98ffde987c518aa8ea64f6201784d7c70e9ff604a61094b5d1938cfb2f75279ec6b6eeade379ab602036ef0068af67

Download Submit
memory/804-57-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1496-65-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1496-66-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing