4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7

Analysis

max time kernel
25s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grafinger-CVE2-530334.exe
Size

291KB
MD5

d7647797381bfa84ccd377fb5d1a6f34
SHA1

d0b980c107e2e20f9494b7fa534366db2a7e9a78
SHA256

4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7
SHA512

a947ee1293ca383d83b03806b49951182b634a4429b9e76094c0d27b5e52fdaadd0e4e0340ced26ed7b5d91d22e575f58ec32d7e1a0c26671674b110dbb14d3c
SSDEEP

6144:+Ea0JTBoewUWcWkZGdREaQlCT/T++K3l5tP:lTBXwUWlk84tsC+AV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zyvnwa.exezyvnwa.exe

pid process

316 zyvnwa.exe
928 zyvnwa.exe
Loads dropped DLL 5 IoCs

Processes:

Grafinger-CVE2-530334.exezyvnwa.exeWerFault.exe

pid process

744 Grafinger-CVE2-530334.exe
316 zyvnwa.exe
320 WerFault.exe
320 WerFault.exe
320 WerFault.exe

pid	process
316	zyvnwa.exe
928	zyvnwa.exe

pid	process
744	Grafinger-CVE2-530334.exe
316	zyvnwa.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zyvnwa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhjd = "C:\\Users\\Admin\\AppData\\Roaming\\cfugdnextqlgxw\\ijykjqpxoqu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zyvnwa.exe\" C:\\Users\\Admin\\AppDat"	zyvnwa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zyvnwa.exe

description pid process target process

PID 316 set thread context of 928 316 zyvnwa.exe zyvnwa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

320 928 WerFault.exe zyvnwa.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zyvnwa.exe

pid process

316 zyvnwa.exe
316 zyvnwa.exe

description	pid	process	target process
PID 316 set thread context of 928	316	zyvnwa.exe	zyvnwa.exe

pid	pid_target	process	target process
320	928	WerFault.exe	zyvnwa.exe

pid	process
316	zyvnwa.exe
316	zyvnwa.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Grafinger-CVE2-530334.exezyvnwa.exezyvnwa.exe

description	pid	process	target process
PID 744 wrote to memory of 316	744	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 744 wrote to memory of 316	744	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 744 wrote to memory of 316	744	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 744 wrote to memory of 316	744	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 316 wrote to memory of 928	316	zyvnwa.exe	zyvnwa.exe
PID 316 wrote to memory of 928	316	zyvnwa.exe	zyvnwa.exe
PID 316 wrote to memory of 928	316	zyvnwa.exe	zyvnwa.exe
PID 316 wrote to memory of 928	316	zyvnwa.exe	zyvnwa.exe
PID 316 wrote to memory of 928	316	zyvnwa.exe	zyvnwa.exe
PID 928 wrote to memory of 320	928	zyvnwa.exe	WerFault.exe
PID 928 wrote to memory of 320	928	zyvnwa.exe	WerFault.exe
PID 928 wrote to memory of 320	928	zyvnwa.exe	WerFault.exe
PID 928 wrote to memory of 320	928	zyvnwa.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe
"C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
Filesize
7KB

MD5
c635a7d44ed783fd6eaa8793f520770c

SHA1
d30c3ded3a72b62ed695078a5fd3889ac232628c

SHA256
d5cfc135d2d1e886ef30b01811e70c5e7a30f51df6eb81b5e88d101c0671a982

SHA512
22abbcbe4baa42af1d6ac502b242f37fdd4274ca44201478961f1c6628b1b369955c563b428bed82c63a5e50a3f9d9778e00e672fc588ca078b4245c6d9a7c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\helxebqi.pe
Filesize
185KB

MD5
732d96062d170b775e1480fe52604830

SHA1
8840025a51a7ed9db1e629c7206d7f4f62231c36

SHA256
e9264ef44e3ee51c13cb2544277d1ee5a8b3056be2a61f1b5df801dcaa4b926d

SHA512
89fee4787b1b1a74136708a67431d45d3f4dcbb55f7c8e68fc7852f94a3cb864ef54d5c32e2008257540cac094d8fca339199aa658913e6cef630a4cbf64a252

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
memory/316-56-0x0000000000000000-mapping.dmp

Download
memory/320-65-0x0000000000000000-mapping.dmp

Download
memory/744-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/928-63-0x00000000000812B0-mapping.dmp

Download