Analysis
-
max time kernel
153s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe
Resource
win10v2004-20220901-en
General
-
Target
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe
-
Size
303KB
-
MD5
eebc5a980cd2210467bb1e98dd6fa04c
-
SHA1
2cecd2160cd49f77f5490f827d3ab37bc135773c
-
SHA256
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
-
SHA512
104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
SSDEEP
6144:IOoTwQoCj3kuQbuuBm5Edp7C87z+XE3rvhe:awQoE3GbIE7CozqIhe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
olvet.exepid process 548 olvet.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeolvet.exepid process 1320 cmd.exe 1320 cmd.exe 548 olvet.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1736 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
olvet.exepid process 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1736 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
olvet.exepid process 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
olvet.exepid process 548 olvet.exe 548 olvet.exe 548 olvet.exe 548 olvet.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.execmd.exedescription pid process target process PID 1928 wrote to memory of 1320 1928 b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe cmd.exe PID 1928 wrote to memory of 1320 1928 b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe cmd.exe PID 1928 wrote to memory of 1320 1928 b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe cmd.exe PID 1928 wrote to memory of 1320 1928 b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe cmd.exe PID 1320 wrote to memory of 1736 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1736 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1736 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1736 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1712 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1712 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1712 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1712 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 548 1320 cmd.exe olvet.exe PID 1320 wrote to memory of 548 1320 cmd.exe olvet.exe PID 1320 wrote to memory of 548 1320 cmd.exe olvet.exe PID 1320 wrote to memory of 548 1320 cmd.exe olvet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe"C:\Users\Admin\AppData\Local\Temp\b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1928 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5.exe" & start C:\Users\Admin\AppData\Local\olvet.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 19283⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\olvet.exeC:\Users\Admin\AppData\Local\olvet.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\olvet.exeFilesize
303KB
MD5eebc5a980cd2210467bb1e98dd6fa04c
SHA12cecd2160cd49f77f5490f827d3ab37bc135773c
SHA256b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
SHA512104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
C:\Users\Admin\AppData\Local\olvet.exeFilesize
303KB
MD5eebc5a980cd2210467bb1e98dd6fa04c
SHA12cecd2160cd49f77f5490f827d3ab37bc135773c
SHA256b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
SHA512104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
\Users\Admin\AppData\Local\olvet.exeFilesize
303KB
MD5eebc5a980cd2210467bb1e98dd6fa04c
SHA12cecd2160cd49f77f5490f827d3ab37bc135773c
SHA256b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
SHA512104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
\Users\Admin\AppData\Local\olvet.exeFilesize
303KB
MD5eebc5a980cd2210467bb1e98dd6fa04c
SHA12cecd2160cd49f77f5490f827d3ab37bc135773c
SHA256b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
SHA512104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
\Users\Admin\AppData\Local\olvet.exeFilesize
303KB
MD5eebc5a980cd2210467bb1e98dd6fa04c
SHA12cecd2160cd49f77f5490f827d3ab37bc135773c
SHA256b0a9402a6567ca14f773c9ef6f5e8b657a881dec93ffdd23ed8f78be95d81fd5
SHA512104d18d3d1cc9a58fdb812f9f6dffb2b3b2c0551ec2d034f8621332b2facf3a8807dd6129d7e40f8407061a46a845bb34d5207411384246601f6af718af412b3
-
memory/548-65-0x0000000000000000-mapping.dmp
-
memory/548-71-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/548-70-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/1320-58-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000000000000-mapping.dmp
-
memory/1736-60-0x0000000000000000-mapping.dmp
-
memory/1928-56-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/1928-55-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1928-57-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/1928-54-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/1928-59-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB