Analysis
-
max time kernel
25s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
Grafinger-CVE2-530334.exe
Resource
win7-20221111-en
General
-
Target
Grafinger-CVE2-530334.exe
-
Size
291KB
-
MD5
d7647797381bfa84ccd377fb5d1a6f34
-
SHA1
d0b980c107e2e20f9494b7fa534366db2a7e9a78
-
SHA256
4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7
-
SHA512
a947ee1293ca383d83b03806b49951182b634a4429b9e76094c0d27b5e52fdaadd0e4e0340ced26ed7b5d91d22e575f58ec32d7e1a0c26671674b110dbb14d3c
-
SSDEEP
6144:+Ea0JTBoewUWcWkZGdREaQlCT/T++K3l5tP:lTBXwUWlk84tsC+AV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
zyvnwa.exezyvnwa.exepid process 316 zyvnwa.exe 928 zyvnwa.exe -
Loads dropped DLL 5 IoCs
Processes:
Grafinger-CVE2-530334.exezyvnwa.exeWerFault.exepid process 744 Grafinger-CVE2-530334.exe 316 zyvnwa.exe 320 WerFault.exe 320 WerFault.exe 320 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zyvnwa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhjd = "C:\\Users\\Admin\\AppData\\Roaming\\cfugdnextqlgxw\\ijykjqpxoqu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zyvnwa.exe\" C:\\Users\\Admin\\AppDat" zyvnwa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zyvnwa.exedescription pid process target process PID 316 set thread context of 928 316 zyvnwa.exe zyvnwa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 320 928 WerFault.exe zyvnwa.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
zyvnwa.exepid process 316 zyvnwa.exe 316 zyvnwa.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Grafinger-CVE2-530334.exezyvnwa.exezyvnwa.exedescription pid process target process PID 744 wrote to memory of 316 744 Grafinger-CVE2-530334.exe zyvnwa.exe PID 744 wrote to memory of 316 744 Grafinger-CVE2-530334.exe zyvnwa.exe PID 744 wrote to memory of 316 744 Grafinger-CVE2-530334.exe zyvnwa.exe PID 744 wrote to memory of 316 744 Grafinger-CVE2-530334.exe zyvnwa.exe PID 316 wrote to memory of 928 316 zyvnwa.exe zyvnwa.exe PID 316 wrote to memory of 928 316 zyvnwa.exe zyvnwa.exe PID 316 wrote to memory of 928 316 zyvnwa.exe zyvnwa.exe PID 316 wrote to memory of 928 316 zyvnwa.exe zyvnwa.exe PID 316 wrote to memory of 928 316 zyvnwa.exe zyvnwa.exe PID 928 wrote to memory of 320 928 zyvnwa.exe WerFault.exe PID 928 wrote to memory of 320 928 zyvnwa.exe WerFault.exe PID 928 wrote to memory of 320 928 zyvnwa.exe WerFault.exe PID 928 wrote to memory of 320 928 zyvnwa.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 364⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzvFilesize
7KB
MD5c635a7d44ed783fd6eaa8793f520770c
SHA1d30c3ded3a72b62ed695078a5fd3889ac232628c
SHA256d5cfc135d2d1e886ef30b01811e70c5e7a30f51df6eb81b5e88d101c0671a982
SHA51222abbcbe4baa42af1d6ac502b242f37fdd4274ca44201478961f1c6628b1b369955c563b428bed82c63a5e50a3f9d9778e00e672fc588ca078b4245c6d9a7c05
-
C:\Users\Admin\AppData\Local\Temp\helxebqi.peFilesize
185KB
MD5732d96062d170b775e1480fe52604830
SHA18840025a51a7ed9db1e629c7206d7f4f62231c36
SHA256e9264ef44e3ee51c13cb2544277d1ee5a8b3056be2a61f1b5df801dcaa4b926d
SHA51289fee4787b1b1a74136708a67431d45d3f4dcbb55f7c8e68fc7852f94a3cb864ef54d5c32e2008257540cac094d8fca339199aa658913e6cef630a4cbf64a252
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
memory/316-56-0x0000000000000000-mapping.dmp
-
memory/320-65-0x0000000000000000-mapping.dmp
-
memory/744-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/928-63-0x00000000000812B0-mapping.dmp