1ff55557d41725dc469f2d4ceba020376853c80694c5ce54dfd79d2a415f928f

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 11:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Gamividu.sfx.exe
Size

723KB
MD5

2544c475bc4ae9ad6cbc54fcc6c8c0d6
SHA1

dfe4d16bed72cf9c9b58d46509b7c0d0083782c4
SHA256

1ff55557d41725dc469f2d4ceba020376853c80694c5ce54dfd79d2a415f928f
SHA512

746dbfcacdf64ab3b51d5cc3622a9278cc0c8a6fb91c4f783a28aa84919830f1791d6f54a2f46d7c572c6342a53b511fde79a22f61c71211d7f44228656f4814
SSDEEP

12288:IzxzTDWikLSb4NS7t2X+t40X2C3JawWmKobxjLWPDvbfIO/ylD6J0lak1sKPG0/8:+DWHSb4Nc0fCZyobVL2vhKlm+a6diq+n

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1296	Gamividu.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	Gamividu.sfx.exe
1980	Gamividu.sfx.exe
1980	Gamividu.sfx.exe
1980	Gamividu.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1296	1980	Gamividu.sfx.exe	28
PID 1980 wrote to memory of 1296	1980	Gamividu.sfx.exe	28
PID 1980 wrote to memory of 1296	1980	Gamividu.sfx.exe	28
PID 1980 wrote to memory of 1296	1980	Gamividu.sfx.exe	28

C:\Users\Admin\AppData\Local\Temp\Gamividu.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Gamividu.sfx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe" Gamividu.dat
  2⤵
  - Executes dropped EXE
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.dat

Filesize
138KB

MD5
0a4993d101a0a928b23c3b10166a21ea

SHA1
a60633962e5a4faeb9255b81ab2707b27011f41b

SHA256
d92da2b98ab6a771012bf8412b49c6052e94cbd6d488a3bb90578c8685a23f17

SHA512
7890ede5385dec23784941165aaa4ab9fb5f8bda1987e605c2e15c4277a7746ad8091496c3835f1197d48ca81ce420ff0066de9645ad20b31663c44f5902e8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Gamividu.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download