Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
Grafinger-CVE2-530334.exe
Resource
win7-20221111-en
General
-
Target
Grafinger-CVE2-530334.exe
-
Size
291KB
-
MD5
d7647797381bfa84ccd377fb5d1a6f34
-
SHA1
d0b980c107e2e20f9494b7fa534366db2a7e9a78
-
SHA256
4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7
-
SHA512
a947ee1293ca383d83b03806b49951182b634a4429b9e76094c0d27b5e52fdaadd0e4e0340ced26ed7b5d91d22e575f58ec32d7e1a0c26671674b110dbb14d3c
-
SSDEEP
6144:+Ea0JTBoewUWcWkZGdREaQlCT/T++K3l5tP:lTBXwUWlk84tsC+AV
Malware Config
Extracted
formbook
g2dc
OqIwFVmXHnPUgdurr7I=
0YwewYtWNLZdkF7Q
HFT6VwOYdkifOpbT1h9DcYQ=
D+zGTvGlpriTumzBbw==
gMSID89/QqMV8yjH
HN5/g0/3yJBsnZCig9Qf
Hl33xdRU8xaC1rY=
/rhq03DorPAUH2bSp6228fGQ
gBwzCyfHge9SumzBbw==
NuOmK9+fenLQa9urr7I=
cA4+yKM4IQjpFwMt1BQEUJ1q6y0=
gpK3pqdoVNu93yS0uhocUtQmtQ==
3i3tx82Rf7yQdIyeprA=
FTo+4qVlVK7gIgxi0g3bUA==
7kDtq4wo6+cV8yjH
Dc123pIo9vcNuR9pwkQ0pPpHvQ==
KYREtH0zKNiI374=
Tok2qF4n2XOiRw==
DYFtA6ZXUJfA3MLhRtTVTQ==
C8poIeeskBCxEYHIbQ==
SphQtzv393fpQTmDIBvxFxyuxIK4BJWOUA==
AB4x79KRi4GW5kKig9Qf
IVcHfD3hpGSLl9+IRtTVTQ==
PzAWlDfYi/FTumzBbw==
c8KfRhi+nW2XvNurr7I=
UsixbWn3uiCIyfadTEkZUtQmtQ==
g4pzHPfEqsDb8rw=
r0hgJQncv5PCYr9RvAvxdJM=
yFlw1kAR9tY=
SVpSBeSERrimumzBbw==
uppZPE0xxRFA2yhWqvDARw==
zRjhy+RmLa2WDW7Sp6228fGQ
liYa0MmYn+0fseEDsP5EgcEftw==
MH4a78axhU2Gydurr7I=
2UQv2aEq56DO6iHF
CFomvat2Vcmz09urr7I=
q2kjkxkeyEk/k++FRtTVTQ==
BG5M2sVYFP1V7UOig9Qf
+ibWP/CKeEBw/kaig9Qf
+UsepVwfAGme8WWvyx9DcYQ=
zHJ/UmYN3lGOrY+sNUUaUtQmtQ==
A9rJR+iHRJ8V8yjH
f1c45sZoONiI374=
TaiXlThWwWrIWg==
Gno6rEkmp43vR3d+pas=
YBKzbS8Bi+0Zo/+psqY=
fygs4+dfFHRSbaE+dLAcexvc6t1n
QvyqxGh3/kh3mYnP
ZPYN3O+UTaMV8yjH
hItu96hZQKPkgrjbRtTVTQ==
gYpp/ZKAQpnIWQ==
ryD0gz7Ih29Zh2y3YGI8u/hFFEWMlw==
o1Twr45FQSldcrwZvP8OUtQmtQ==
4QL6n3gqFwRwAkaig9Qf
kN++Zyvv6yJ6ydurr7I=
SdK4Rv6Qb8w4euccuaU=
ve5+E9JwSEMjOWfxfILEq9CY
P6aMLe6ofmKIoO0U2SmtHYI=
8+bJXD3UknPOa9urr7I=
QPyWSRCfXL+mumzBbw==
8ejIbB/mp6G66Ankdw==
n96ZDb2Ab8j2gtYe4x9DcYQ=
XmRT2XUg/1w+Wn1hdH3FMIw=
LN6J745INyFTPR9kCRUX
yogaguerilla.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
zyvnwa.exezyvnwa.exepid process 1920 zyvnwa.exe 1428 zyvnwa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zyvnwa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation zyvnwa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zyvnwa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhjd = "C:\\Users\\Admin\\AppData\\Roaming\\cfugdnextqlgxw\\ijykjqpxoqu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zyvnwa.exe\" C:\\Users\\Admin\\AppDat" zyvnwa.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zyvnwa.exezyvnwa.exeraserver.exedescription pid process target process PID 1920 set thread context of 1428 1920 zyvnwa.exe zyvnwa.exe PID 1428 set thread context of 684 1428 zyvnwa.exe Explorer.EXE PID 3264 set thread context of 684 3264 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
zyvnwa.exeraserver.exepid process 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 684 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
zyvnwa.exezyvnwa.exeraserver.exepid process 1920 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 1428 zyvnwa.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe 3264 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
zyvnwa.exeraserver.exedescription pid process Token: SeDebugPrivilege 1428 zyvnwa.exe Token: SeDebugPrivilege 3264 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Grafinger-CVE2-530334.exezyvnwa.exeExplorer.EXEraserver.exedescription pid process target process PID 764 wrote to memory of 1920 764 Grafinger-CVE2-530334.exe zyvnwa.exe PID 764 wrote to memory of 1920 764 Grafinger-CVE2-530334.exe zyvnwa.exe PID 764 wrote to memory of 1920 764 Grafinger-CVE2-530334.exe zyvnwa.exe PID 1920 wrote to memory of 1428 1920 zyvnwa.exe zyvnwa.exe PID 1920 wrote to memory of 1428 1920 zyvnwa.exe zyvnwa.exe PID 1920 wrote to memory of 1428 1920 zyvnwa.exe zyvnwa.exe PID 1920 wrote to memory of 1428 1920 zyvnwa.exe zyvnwa.exe PID 684 wrote to memory of 3264 684 Explorer.EXE raserver.exe PID 684 wrote to memory of 3264 684 Explorer.EXE raserver.exe PID 684 wrote to memory of 3264 684 Explorer.EXE raserver.exe PID 3264 wrote to memory of 2044 3264 raserver.exe Firefox.exe PID 3264 wrote to memory of 2044 3264 raserver.exe Firefox.exe PID 3264 wrote to memory of 2044 3264 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzvFilesize
7KB
MD5c635a7d44ed783fd6eaa8793f520770c
SHA1d30c3ded3a72b62ed695078a5fd3889ac232628c
SHA256d5cfc135d2d1e886ef30b01811e70c5e7a30f51df6eb81b5e88d101c0671a982
SHA51222abbcbe4baa42af1d6ac502b242f37fdd4274ca44201478961f1c6628b1b369955c563b428bed82c63a5e50a3f9d9778e00e672fc588ca078b4245c6d9a7c05
-
C:\Users\Admin\AppData\Local\Temp\helxebqi.peFilesize
185KB
MD5732d96062d170b775e1480fe52604830
SHA18840025a51a7ed9db1e629c7206d7f4f62231c36
SHA256e9264ef44e3ee51c13cb2544277d1ee5a8b3056be2a61f1b5df801dcaa4b926d
SHA51289fee4787b1b1a74136708a67431d45d3f4dcbb55f7c8e68fc7852f94a3cb864ef54d5c32e2008257540cac094d8fca339199aa658913e6cef630a4cbf64a252
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exeFilesize
7KB
MD544714ec2edf686986c29dfc74912fdd3
SHA11ac35dcc2b2c9b2af8c82275a61f06bd9aaef395
SHA256192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae
SHA512c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19
-
memory/684-143-0x00000000081F0000-0x000000000831F000-memory.dmpFilesize
1.2MB
-
memory/684-153-0x0000000008320000-0x0000000008437000-memory.dmpFilesize
1.1MB
-
memory/684-151-0x0000000008320000-0x0000000008437000-memory.dmpFilesize
1.1MB
-
memory/1428-142-0x0000000000DF0000-0x0000000000E00000-memory.dmpFilesize
64KB
-
memory/1428-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1428-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1428-137-0x0000000000000000-mapping.dmp
-
memory/1428-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1428-146-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1428-141-0x0000000001760000-0x0000000001AAA000-memory.dmpFilesize
3.3MB
-
memory/1920-132-0x0000000000000000-mapping.dmp
-
memory/3264-148-0x0000000000E50000-0x0000000000E7D000-memory.dmpFilesize
180KB
-
memory/3264-149-0x0000000002DE0000-0x000000000312A000-memory.dmpFilesize
3.3MB
-
memory/3264-150-0x0000000002C10000-0x0000000002C9F000-memory.dmpFilesize
572KB
-
memory/3264-147-0x0000000000F30000-0x0000000000F4F000-memory.dmpFilesize
124KB
-
memory/3264-152-0x0000000000E50000-0x0000000000E7D000-memory.dmpFilesize
180KB
-
memory/3264-144-0x0000000000000000-mapping.dmp