84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6

Analysis

max time kernel
147s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
Size

750KB
MD5

91396b48fe4097dc4cac1236734d9030
SHA1

f60b7690a14c7680b80508bc832bb7fb9e032183
SHA256

84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6
SHA512

4680c53a7b896a9f7cfd316bffbc801e35cc6ffbde0c86278a136a73fab891765b7303da1104e9756cabc0ab1711a9087d681abadc5b9d780dc6a4968457baf0
SSDEEP

12288:RDGJuO8TJMn/h0a8ntcw/zfZkjN3lUmF2bCPVjQiuOwJN48RWwyuEyuUDodXGEXS:RSJu7AhV8tcw7Z+NRF2uP65FJtwwZ5oY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1696	nokav.exe
856	zixuqy.exe
680	vouzg.exe

Deletes itself 1 IoCs

pid	Process
1384	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
1696	nokav.exe
1696	nokav.exe
856	zixuqy.exe
856	zixuqy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe
680	vouzg.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1696	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	27
PID 1132 wrote to memory of 1696	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	27
PID 1132 wrote to memory of 1696	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	27
PID 1132 wrote to memory of 1696	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	27
PID 1132 wrote to memory of 1384	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	28
PID 1132 wrote to memory of 1384	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	28
PID 1132 wrote to memory of 1384	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	28
PID 1132 wrote to memory of 1384	1132	84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe	28
PID 1696 wrote to memory of 856	1696	nokav.exe	30
PID 1696 wrote to memory of 856	1696	nokav.exe	30
PID 1696 wrote to memory of 856	1696	nokav.exe	30
PID 1696 wrote to memory of 856	1696	nokav.exe	30
PID 856 wrote to memory of 680	856	zixuqy.exe	31
PID 856 wrote to memory of 680	856	zixuqy.exe	31
PID 856 wrote to memory of 680	856	zixuqy.exe	31
PID 856 wrote to memory of 680	856	zixuqy.exe	31
PID 856 wrote to memory of 1500	856	zixuqy.exe	32
PID 856 wrote to memory of 1500	856	zixuqy.exe	32
PID 856 wrote to memory of 1500	856	zixuqy.exe	32
PID 856 wrote to memory of 1500	856	zixuqy.exe	32

C:\Users\Admin\AppData\Local\Temp\84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe
"C:\Users\Admin\AppData\Local\Temp\84c5a11552eda0feab083594d6a1ee1f275769c20978d4347ade1f168ff52ed6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\nokav.exe
  "C:\Users\Admin\AppData\Local\Temp\nokav.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\zixuqy.exe
    "C:\Users\Admin\AppData\Local\Temp\zixuqy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\vouzg.exe
      "C:\Users\Admin\AppData\Local\Temp\vouzg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
665d40f83d93cbe3d8c9e78cda8c0d48

SHA1
b4a888f0b7da943559680895f76d40851034f733

SHA256
7bc428a5a5f09ad377d471507948e7aeb19f07972509771303efdec672b478e3

SHA512
a39052e985d9d223be14c7867698d936f69d6a1f6a14862b5b93293f3ddc7d55e63b25f96a186ed05d83ff248587c411794d5bb8e9d9670fc2eaa8fd1930637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a56f4dda8452465cfadc0538e4ef007b

SHA1
18634479aa0cc15b40c64c644e0456a8a150fc2b

SHA256
e851917fa2b90afcb37b7935a934522f478e334983ce89c903f398ae675c4380

SHA512
d3f38121e10d9ad98ca16133082a3147fe77caf0ae205674811c616fa887bdbf2033026fee7df629afba294f1a21fa6582b6f208be56459b4d97a5b93b269d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8c10bcb39d0376d310cbe050aee6fb3a

SHA1
b67e6948d147e51447fc9269b88a74f6bf207443

SHA256
14bcad6a6e3f96f75564b954db5662b5ab1baa863516b6e469777d90975cd2c7

SHA512
15905b94a4180eb16756680d97e15cdf052c8c5bc0c610a78533e5678547fd778df3b114e2b91f582c05dfcff578ddf46a9a1542e272114293dc341e44064f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokav.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokav.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vouzg.exe

Filesize
652KB

MD5
a96ddc9c784da16b6ed2fc4994abe061

SHA1
fc58a7afb6d307e6484120aafe946e9333efde47

SHA256
9e07c35a1671baa17a3e5d2f29de1117293f0b8ebb3461793d17df0da0b3b311

SHA512
c6d365c651a73330f125e451c3ffe909e3a6e379952d66d5658be178fb47f7a2d75237ef6022d1e6efa4fd879f578519dc7a79cbd155dd532e3b811057253061

Download Submit
C:\Users\Admin\AppData\Local\Temp\zixuqy.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\zixuqy.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
\Users\Admin\AppData\Local\Temp\nokav.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
\Users\Admin\AppData\Local\Temp\nokav.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
\Users\Admin\AppData\Local\Temp\vouzg.exe

Filesize
652KB

MD5
a96ddc9c784da16b6ed2fc4994abe061

SHA1
fc58a7afb6d307e6484120aafe946e9333efde47

SHA256
9e07c35a1671baa17a3e5d2f29de1117293f0b8ebb3461793d17df0da0b3b311

SHA512
c6d365c651a73330f125e451c3ffe909e3a6e379952d66d5658be178fb47f7a2d75237ef6022d1e6efa4fd879f578519dc7a79cbd155dd532e3b811057253061

Download Submit
\Users\Admin\AppData\Local\Temp\vouzg.exe

Filesize
652KB

MD5
a96ddc9c784da16b6ed2fc4994abe061

SHA1
fc58a7afb6d307e6484120aafe946e9333efde47

SHA256
9e07c35a1671baa17a3e5d2f29de1117293f0b8ebb3461793d17df0da0b3b311

SHA512
c6d365c651a73330f125e451c3ffe909e3a6e379952d66d5658be178fb47f7a2d75237ef6022d1e6efa4fd879f578519dc7a79cbd155dd532e3b811057253061

Download Submit
\Users\Admin\AppData\Local\Temp\zixuqy.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
\Users\Admin\AppData\Local\Temp\zixuqy.exe

Filesize
751KB

MD5
69c3813de49d406f4ba35c3d29b39921

SHA1
b22b9121b7b580e5828b928297436f1b869be38b

SHA256
55509b34219dfee7729663a2a473493134d1eb7f701aeb936d2b7f9800229248

SHA512
c66d6f498c7aa2f812994666e66dc2138a5abf13d64aee3c06216bb8ed45498c02d03f64f46150976856b2d46876f95811f131b90eca087ebb77cf24b4cfad20

Download Submit
memory/680-86-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/680-85-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/856-74-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/856-80-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1132-60-0x0000000002710000-0x00000000027EC000-memory.dmp

Filesize
880KB

Download
memory/1132-59-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1132-65-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1696-63-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1696-71-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download