0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

General

Target

0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe
Size

299KB
MD5

fadfeb880e28f7555c0f3838b299c4d1
SHA1

398d121edf1d586100f20f5a890c094cad4b149f
SHA256

0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc
SHA512

58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b
SSDEEP

6144:reQAVm8Sh2CA+dXwj4T9L0/KjHDKtcVypWujFC7QS9j:reQAVm8C2B+d2SpDDhQWuRC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dnvozbyevp.exe

pid process

1336 dnvozbyevp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1296 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exednvozbyevp.exe

pid process

1296 cmd.exe
1296 cmd.exe
1336 dnvozbyevp.exe

pid	process
1336	dnvozbyevp.exe

pid	process
1296	cmd.exe

pid	process
1296	cmd.exe
1296	cmd.exe
1336	dnvozbyevp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1472 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

760 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1472 taskkill.exe

pid	process
1472	taskkill.exe

pid	process
760	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1472	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1296	2020	0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe	cmd.exe
PID 2020 wrote to memory of 1296	2020	0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe	cmd.exe
PID 2020 wrote to memory of 1296	2020	0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe	cmd.exe
PID 2020 wrote to memory of 1296	2020	0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe	cmd.exe
PID 1296 wrote to memory of 1472	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 1472	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 1472	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 1472	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 760	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 760	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 760	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 760	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1336	1296	cmd.exe	dnvozbyevp.exe
PID 1296 wrote to memory of 1336	1296	cmd.exe	dnvozbyevp.exe
PID 1296 wrote to memory of 1336	1296	cmd.exe	dnvozbyevp.exe
PID 1296 wrote to memory of 1336	1296	cmd.exe	dnvozbyevp.exe

C:\Users\Admin\AppData\Local\Temp\0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe
"C:\Users\Admin\AppData\Local\Temp\0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2020 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc.exe" & start C:\Users\Admin\AppData\Local\DNVOZB~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2020
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:760

C:\Users\Admin\AppData\Local\dnvozbyevp.exe
C:\Users\Admin\AppData\Local\DNVOZB~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dnvozbyevp.exe
Filesize
299KB

MD5
fadfeb880e28f7555c0f3838b299c4d1

SHA1
398d121edf1d586100f20f5a890c094cad4b149f

SHA256
0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

SHA512
58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b

Download Submit
C:\Users\Admin\AppData\Local\dnvozbyevp.exe
Filesize
299KB

MD5
fadfeb880e28f7555c0f3838b299c4d1

SHA1
398d121edf1d586100f20f5a890c094cad4b149f

SHA256
0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

SHA512
58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b

Download Submit
\Users\Admin\AppData\Local\dnvozbyevp.exe
Filesize
299KB

MD5
fadfeb880e28f7555c0f3838b299c4d1

SHA1
398d121edf1d586100f20f5a890c094cad4b149f

SHA256
0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

SHA512
58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b

Download Submit
\Users\Admin\AppData\Local\dnvozbyevp.exe
Filesize
299KB

MD5
fadfeb880e28f7555c0f3838b299c4d1

SHA1
398d121edf1d586100f20f5a890c094cad4b149f

SHA256
0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

SHA512
58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b

Download Submit
\Users\Admin\AppData\Local\dnvozbyevp.exe
Filesize
299KB

MD5
fadfeb880e28f7555c0f3838b299c4d1

SHA1
398d121edf1d586100f20f5a890c094cad4b149f

SHA256
0378500775181fc36bcfb3dc440396e1e06307d97829a85b329e84c975085bcc

SHA512
58d62225d7f7c33088a8488a902f0746d8ec3d743ccecfd968d10819043a5ad20847400cec9908ad65bdfcd81bd5a3b7716cf2cfa3fd9005a49afd3b0592e30b

Download Submit
memory/760-60-0x0000000000000000-mapping.dmp

Download
memory/1296-57-0x0000000000000000-mapping.dmp

Download
memory/1336-64-0x0000000000000000-mapping.dmp

Download
memory/1336-70-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1336-71-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1336-72-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1472-59-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing