2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e

Analysis

max time kernel
147s
max time network
192s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
Size

204KB
MD5

0438dd3b13d33eeb17c7176994522101
SHA1

48e40cf00db479d380fcc1e572590b129068ff7b
SHA256

2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e
SHA512

82506c46318c213e976e4495d8467d72385aa49b34baa566c0ffd7deaa68c8eb6587dc6653431c570307e032b5b83058dca046379ba65a37a45011d5e0294bef
SSDEEP

3072:FRRe/rSF50ZYtXVi0kPf0kP80kPVIKlXVv3h7Uk:FbMZIVf

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1708	rvmsv.exe
1212	netsvcnt32.exe
1752	nethost32.exe
936	rvmsv.exe

Deletes itself 1 IoCs

pid	Process
1860	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nethost32.exe	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
File created	C:\Windows\SysWOW64\rvmsv.exe	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
File created	C:\Windows\SysWOW64\netsvcnt32.exe	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rvmsv.exe	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1212	netsvcnt32.exe
1752	nethost32.exe
936	rvmsv.exe
1708	rvmsv.exe
1212	netsvcnt32.exe
1752	nethost32.exe
936	rvmsv.exe
1708	rvmsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1708	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	27
PID 2040 wrote to memory of 1708	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	27
PID 2040 wrote to memory of 1708	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	27
PID 2040 wrote to memory of 1708	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	27
PID 2040 wrote to memory of 1212	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	28
PID 2040 wrote to memory of 1212	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	28
PID 2040 wrote to memory of 1212	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	28
PID 2040 wrote to memory of 1212	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	28
PID 2040 wrote to memory of 1752	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	29
PID 2040 wrote to memory of 1752	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	29
PID 2040 wrote to memory of 1752	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	29
PID 2040 wrote to memory of 1752	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	29
PID 2040 wrote to memory of 936	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	30
PID 2040 wrote to memory of 936	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	30
PID 2040 wrote to memory of 936	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	30
PID 2040 wrote to memory of 936	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	30
PID 2040 wrote to memory of 1860	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	31
PID 2040 wrote to memory of 1860	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	31
PID 2040 wrote to memory of 1860	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	31
PID 2040 wrote to memory of 1860	2040	2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe	31

C:\Users\Admin\AppData\Local\Temp\2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe
"C:\Users\Admin\AppData\Local\Temp\2a47754edb68093d3f6894820a992acb3bc43935043fdbd5ed39f94942fb895e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\rvmsv.exe
  "C:\Windows\system32\rvmsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Windows\SysWOW64\netsvcnt32.exe
  "C:\Windows\system32\netsvcnt32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Windows\SysWOW64\nethost32.exe
  "C:\Windows\system32\nethost32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Windows\rvmsv.exe
  "C:\Windows\rvmsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\mp119.bat" "
  2⤵
  - Deletes itself
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nethost32.exe

Filesize
28KB

MD5
4245b1ad3d8158911c9fe6372f5c71d2

SHA1
ebb2c7d6612bb02f5708aa86b5654a3cf119a919

SHA256
d6bd0534b8f8e9ccf6eecad1bc1c35e7f4945513d3f220f1d1274736956f23d7

SHA512
04c7759251d969e85beff9b9e46fabe688432e09d7121ed4381a4b9c8d812977bd9b8233a3fabdc3e5e015719b831b442b142a07bc5740f5cc74816c90897f5a

Download Submit
C:\Windows\SysWOW64\netsvcnt32.exe

Filesize
28KB

MD5
ac17576e4aba86de7d6b20186cafa64f

SHA1
c85aeb3ebac53e2c822848e69a9eb7d98b168685

SHA256
114ad79b9892ecd546a10183438d1fd8db5d2a9331ad75db1e00bd301dc8cf64

SHA512
03fb2bba3a57cc00c26a32590de29a57d8c2acf5b44c3d4bc1bc19e2e13e1f114e5c6957fa2c8a3d1cec43ec79277fc270e94de4aa33caa52142a0ae5f8a65f3

Download Submit
C:\Windows\SysWOW64\rvmsv.exe

Filesize
32KB

MD5
a01831f06a52b70b909c9d6b7b6c2bb4

SHA1
471d19f357d74faece542b0e4a0eae5652f7f5c1

SHA256
3909b13f85089647e8b08fb08af3da46851207ccf028d5b3e1e953a0a6ce182a

SHA512
89a4a15edabb7526c7656a00eb308020018e75e05251910043ba5988a90bbfc7f0574e7e65a4f2eaca143405e7b7546ffaff245425afc1cab464c0482a68376a

Download Submit
C:\Windows\rvmsv.exe

Filesize
28KB

MD5
5e0e2237936e6a03c9a8c442d5a40298

SHA1
e0037c9c99ca6eb57603ac0eb89662c220db0035

SHA256
60cf6d443bd4d6c21c234cfade7b79d83b7b6467db34452c9c9a02c692cf2310

SHA512
83f424a27e9c00e924b3bb680def2d8d0a624052b46f1b1b9fa8867965962e0b6a5c28a6da10fc6ee0d4e9cda522d66e0e0a4075a50468fd75ad229dfa1950fa

Download Submit
C:\mp119.bat

Filesize
286B

MD5
05fe33e5e7c99d79638f36613cc44544

SHA1
3636bf8982a6887f3d88c23017409c35d2565de4

SHA256
2c0eaf86e9d300f1d2162f3db1177bc521ad7368158f68b96182d15df7a73013

SHA512
fff72f5cc415d5c2e3ca8629075f8a91ffd23e27a2ab628ac15a8e759b1aa223e217f250db6fde72fbe03f7d271e44836778b38d81cbed7771c96df3ee13ca2d

Download Submit
\Windows\SysWOW64\nethost32.exe

Filesize
28KB

MD5
4245b1ad3d8158911c9fe6372f5c71d2

SHA1
ebb2c7d6612bb02f5708aa86b5654a3cf119a919

SHA256
d6bd0534b8f8e9ccf6eecad1bc1c35e7f4945513d3f220f1d1274736956f23d7

SHA512
04c7759251d969e85beff9b9e46fabe688432e09d7121ed4381a4b9c8d812977bd9b8233a3fabdc3e5e015719b831b442b142a07bc5740f5cc74816c90897f5a

Download Submit
\Windows\SysWOW64\nethost32.exe

Filesize
28KB

MD5
4245b1ad3d8158911c9fe6372f5c71d2

SHA1
ebb2c7d6612bb02f5708aa86b5654a3cf119a919

SHA256
d6bd0534b8f8e9ccf6eecad1bc1c35e7f4945513d3f220f1d1274736956f23d7

SHA512
04c7759251d969e85beff9b9e46fabe688432e09d7121ed4381a4b9c8d812977bd9b8233a3fabdc3e5e015719b831b442b142a07bc5740f5cc74816c90897f5a

Download Submit
\Windows\SysWOW64\netsvcnt32.exe

Filesize
28KB

MD5
ac17576e4aba86de7d6b20186cafa64f

SHA1
c85aeb3ebac53e2c822848e69a9eb7d98b168685

SHA256
114ad79b9892ecd546a10183438d1fd8db5d2a9331ad75db1e00bd301dc8cf64

SHA512
03fb2bba3a57cc00c26a32590de29a57d8c2acf5b44c3d4bc1bc19e2e13e1f114e5c6957fa2c8a3d1cec43ec79277fc270e94de4aa33caa52142a0ae5f8a65f3

Download Submit
\Windows\SysWOW64\netsvcnt32.exe

Filesize
28KB

MD5
ac17576e4aba86de7d6b20186cafa64f

SHA1
c85aeb3ebac53e2c822848e69a9eb7d98b168685

SHA256
114ad79b9892ecd546a10183438d1fd8db5d2a9331ad75db1e00bd301dc8cf64

SHA512
03fb2bba3a57cc00c26a32590de29a57d8c2acf5b44c3d4bc1bc19e2e13e1f114e5c6957fa2c8a3d1cec43ec79277fc270e94de4aa33caa52142a0ae5f8a65f3

Download Submit
\Windows\SysWOW64\rvmsv.exe

Filesize
32KB

MD5
a01831f06a52b70b909c9d6b7b6c2bb4

SHA1
471d19f357d74faece542b0e4a0eae5652f7f5c1

SHA256
3909b13f85089647e8b08fb08af3da46851207ccf028d5b3e1e953a0a6ce182a

SHA512
89a4a15edabb7526c7656a00eb308020018e75e05251910043ba5988a90bbfc7f0574e7e65a4f2eaca143405e7b7546ffaff245425afc1cab464c0482a68376a

Download Submit
\Windows\SysWOW64\rvmsv.exe

Filesize
32KB

MD5
a01831f06a52b70b909c9d6b7b6c2bb4

SHA1
471d19f357d74faece542b0e4a0eae5652f7f5c1

SHA256
3909b13f85089647e8b08fb08af3da46851207ccf028d5b3e1e953a0a6ce182a

SHA512
89a4a15edabb7526c7656a00eb308020018e75e05251910043ba5988a90bbfc7f0574e7e65a4f2eaca143405e7b7546ffaff245425afc1cab464c0482a68376a

Download Submit
memory/936-67-0x0000000000000000-mapping.dmp

Download
memory/1212-61-0x0000000000000000-mapping.dmp

Download
memory/1708-57-0x0000000000000000-mapping.dmp

Download
memory/1752-65-0x0000000000000000-mapping.dmp

Download
memory/1860-69-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download