4a0f5f393b9b5ec51e24b1feb5ac4239ea144960d25825e1dd5f3af02858cc2c

Analysis

max time kernel
34s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MV DOOYANG TBN PARTICULARS.exe
Size

259KB
MD5

571c086c113946c6bede6590548a96d1
SHA1

f03b3c1cf890d22df72094e3df466d141a0226b5
SHA256

4a0f5f393b9b5ec51e24b1feb5ac4239ea144960d25825e1dd5f3af02858cc2c
SHA512

9917251bfc52dc8ba6788aecee9a149340c30b73565598c22d28a6d1a34d5e7357a4b4812429965b1d3f58ad904dad4902d06762dcbe25adcdce83d900e27f1a
SSDEEP

6144:1BnqxnIIw4bDUEDTIg826uyIM42tgpouzDPDxm:yxnIN43UHzDucgi0PDxm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vvyzzbuuw.exe

pid process

1080 vvyzzbuuw.exe
Loads dropped DLL 1 IoCs

Processes:

MV DOOYANG TBN PARTICULARS.exe

pid process

1476 MV DOOYANG TBN PARTICULARS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1080	vvyzzbuuw.exe

pid	process
1476	MV DOOYANG TBN PARTICULARS.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

MV DOOYANG TBN PARTICULARS.exe

description	pid	process	target process
PID 1476 wrote to memory of 1080	1476	MV DOOYANG TBN PARTICULARS.exe	vvyzzbuuw.exe
PID 1476 wrote to memory of 1080	1476	MV DOOYANG TBN PARTICULARS.exe	vvyzzbuuw.exe
PID 1476 wrote to memory of 1080	1476	MV DOOYANG TBN PARTICULARS.exe	vvyzzbuuw.exe
PID 1476 wrote to memory of 1080	1476	MV DOOYANG TBN PARTICULARS.exe	vvyzzbuuw.exe

C:\Users\Admin\AppData\Local\Temp\MV DOOYANG TBN PARTICULARS.exe
"C:\Users\Admin\AppData\Local\Temp\MV DOOYANG TBN PARTICULARS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\vvyzzbuuw.exe
"C:\Users\Admin\AppData\Local\Temp\vvyzzbuuw.exe" C:\Users\Admin\AppData\Local\Temp\begdxlgnc.tn
2⤵
- Executes dropped EXE
PID:1080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vvyzzbuuw.exe
Filesize
122KB

MD5
d812391fdc0465fbc9c146cdc5f395dd

SHA1
34142e8c93ae1b5a58b62f3f21209ac7d81c66f3

SHA256
18f18e2e328bc1bd498d23fd35574f955164ac2a2b92d31854a16e7dfa7c384b

SHA512
99e565c50edd53909b28e802fd7094d28a3265eef66af94fc0f09b0e8fd926c55912b49aa53d53d8af2645165c2a04dff1aaf41f04d3df6eddccf2639e3ef26a

Download Submit
\Users\Admin\AppData\Local\Temp\vvyzzbuuw.exe
Filesize
122KB

MD5
d812391fdc0465fbc9c146cdc5f395dd

SHA1
34142e8c93ae1b5a58b62f3f21209ac7d81c66f3

SHA256
18f18e2e328bc1bd498d23fd35574f955164ac2a2b92d31854a16e7dfa7c384b

SHA512
99e565c50edd53909b28e802fd7094d28a3265eef66af94fc0f09b0e8fd926c55912b49aa53d53d8af2645165c2a04dff1aaf41f04d3df6eddccf2639e3ef26a

Download Submit
memory/1080-56-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download