6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d

Analysis

max time kernel
42s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 06:33

Target

6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d.exe
Size

316KB
MD5

52354f4e2cf11301e27e877c7c9780f7
SHA1

a51e12ca19f67afb1a30e0dd5103fc6144e8cf6e
SHA256

6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d
SHA512

d0274b8aa60ff14c95db5f7936a35749200c64622012e4c213136822311bec64ac09c6544dbfe0655867b36351cd2e168c199c66d0de49e8a5c2854d6bf3af16
SSDEEP

3072:3SwRgD8LRtxUwatwc9K6pQ32afgWDoiASe+g33o5waX1Z14+wawBkyRE:NRgQxnJ6S32Mk5+OaF4tBk3

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winNetSc.exe	6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d.exe
File created	C:\Windows\SysWOW64\rvmsv.exe	6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d.exe
"C:\Users\Admin\AppData\Local\Temp\6b18e34dddee12331171d4683b5f9043f85cf7b424c75c33d79a4c54fdfe793d.exe"
1⤵
- Drops file in System32 directory
PID:632
- C:\Windows\SysWOW64\rvmsv.exe
  "C:\Windows\system32\rvmsv.exe"
  2⤵
  PID:764
- C:\Windows\SysWOW64\winNetSc.exe
  "C:\Windows\system32\winNetSc.exe"
  2⤵
  PID:4380

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\rvmsv.exe

Filesize
28KB

MD5
4cea176eccd262f15d2e43ee0481f738

SHA1
91a7d67fbb0fe07698a155ec208ae965da85acf6

SHA256
8f63fb65632356c6036d6cc013c6075f4ad004769c524891e4f36537c7f2d6f7

SHA512
0de4688d6f436da7546b41edefc8118f98c5f1687ca42711d9acd609a1e01dd4dbe7c301e5459c8a89d1fc474cf097601899a32f163d23d36e8f1b6ef4a2fa8a

Download Submit
C:\Windows\SysWOW64\rvmsv.exe

Filesize
28KB

MD5
4cea176eccd262f15d2e43ee0481f738

SHA1
91a7d67fbb0fe07698a155ec208ae965da85acf6

SHA256
8f63fb65632356c6036d6cc013c6075f4ad004769c524891e4f36537c7f2d6f7

SHA512
0de4688d6f436da7546b41edefc8118f98c5f1687ca42711d9acd609a1e01dd4dbe7c301e5459c8a89d1fc474cf097601899a32f163d23d36e8f1b6ef4a2fa8a

Download Submit
C:\Windows\SysWOW64\winNetSc.exe

Filesize
16KB

MD5
2d2453c45daaa31a5586fb3c4ad59b7b

SHA1
1253f8c700a570a1d2a1cbf48e63ee702dd17ddb

SHA256
6f6c9b08b6cac26c687f701524db7c9d393f6e663d6f30fd927fe4fb053fb895

SHA512
69e7693c29c7d3807e318c2efd597959098d64ad86dc9e7b8df38e5ed616820171fb89a2a9494653c17852a64081efab030956eb832c7c5df739c773ad79119b

Download Submit
C:\Windows\SysWOW64\winNetSc.exe

Filesize
16KB

MD5
2d2453c45daaa31a5586fb3c4ad59b7b

SHA1
1253f8c700a570a1d2a1cbf48e63ee702dd17ddb

SHA256
6f6c9b08b6cac26c687f701524db7c9d393f6e663d6f30fd927fe4fb053fb895

SHA512
69e7693c29c7d3807e318c2efd597959098d64ad86dc9e7b8df38e5ed616820171fb89a2a9494653c17852a64081efab030956eb832c7c5df739c773ad79119b

Download Submit