7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571

Resubmissions

26-10-2022 21:57

221026-1vezdahch3 8

26-10-2022 16:10

221026-tmvxasgbg8 10

Analysis

max time kernel
6s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2022 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
Size

534KB
MD5

059ad08d9e8eef31013b815016bf2c50
SHA1

ec7aca3235e337104cae18b08519445907e33400
SHA256

7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
SHA512

5f496575852ca180ca92df1aeaa221613259d1666936c37602f5ca605a24b8dc3394cb0323683bfef257f9b71e9235984482482df237afe4cf59ed232a30ff68
SSDEEP

12288:lnC3ziKYs6O6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGH1:ln5KYs6ZlT+lQTD/O3BArRCH1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1980	hzxody.exe
3436	hzxody.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhbbq = "C:\\Users\\Admin\\AppData\\Roaming\\eayaxcqkdieui\\agvsyjciptyuwl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hzxody.exe\" \"C:\\Users\\Admin\\App"	hzxody.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1980	hzxody.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	hzxody.exe
1980	hzxody.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1980	hzxody.exe
1980	hzxody.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1980	4928	7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe	82
PID 4928 wrote to memory of 1980	4928	7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe	82
PID 4928 wrote to memory of 1980	4928	7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe	82
PID 1980 wrote to memory of 3436	1980	hzxody.exe	83
PID 1980 wrote to memory of 3436	1980	hzxody.exe	83
PID 1980 wrote to memory of 3436	1980	hzxody.exe	83
PID 1980 wrote to memory of 4136	1980	hzxody.exe	84
PID 1980 wrote to memory of 4136	1980	hzxody.exe	84
PID 1980 wrote to memory of 4136	1980	hzxody.exe	84

C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe
"C:\Users\Admin\AppData\Local\Temp\7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\hzxody.exe
  "C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\hzxody.exe
    "C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"
    3⤵
    - Executes dropped EXE
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\hzxody.exe
    "C:\Users\Admin\AppData\Local\Temp\hzxody.exe" "C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3"
    3⤵
    PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avaujwweoog.aqh

Filesize
54KB

MD5
bb2ac542b5a191a368c06ee55c9f6d5f

SHA1
98cfc5b9fba510408f32cfc856b2c297d4c86b37

SHA256
45c74d4f072a6c2d06296ff7fb3177043be25299cdb814d1abf2d2347fdd7914

SHA512
377f1df11c4a068773766c8e2a070eb6700675f9d0f1529a104cfcfd2f6337f701d9d538b45dd754365f35d9bfd06713130b65509b5eccc7980dc9a382609e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bambwmgwb.hx

Filesize
59KB

MD5
7f61d9db546a2d62a163ebe19ce05443

SHA1
a35302b959295e2c76c78114b9a02b3a509d16e4

SHA256
584cd64ec5db4ff1b00c507f97bbc00802a00ab50dc96e7165f334dd34e2f84c

SHA512
bb9f511b5ef8ec52842c095399787a8d7922ac03309ee7ca5f880021ba02f6858b8001fc95edc925ccd6ad7f7fcf8fba2151b3e5424b3e3a41731ac2a76a27d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzxody.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzxody.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzxody.exe

Filesize
704KB

MD5
cc5610da075b8ad329978024b54399a8

SHA1
bbc5d4764b38fdf6cdd4efcccd8c390bb166d379

SHA256
24cf3db61d7e9f9668e778286bab5b3a3778c2ac55b89472675ca742aa072665

SHA512
92db4ee45130274fd91d6c2a5b2a7a9cfbabbe00c288cc1dd384f9dec10e311f3f643a7efcdee768b09b6940b092faa87d0dd704afffca4ec375feaeb285f3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\yglxfybatp.au3

Filesize
11KB

MD5
0c9abf2f221c9f14ad44b1f8ce8c968d

SHA1
81dc41f8bbaaaad9792e6e9a5739e94d979491f5

SHA256
837adc8aca44519f0cbdbb7a274da7a7e4b5bd34547ad75256c7da9db87564d3

SHA512
398e69d3445fffc00d05d5c0c65e73be0a08490bf5e0c4f2383de886cde0486e70f41b83cd11fbacc0eedb5f3aaf143414c73e3d8f0af1cbec7a4a23547ed902

Download Submit