6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe
Size

163KB
MD5

83cf3a4dd34a2b2e3006cc01833a0867
SHA1

3d01254a2146c656f033a4091709a64bb9969c21
SHA256

6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6
SHA512

bbd0ca0c1c7e027a71de181475ba8f5c89ba0b457a0b563a267acdc59048a1b9bf3023efd99c5ad2a8c257d63256d6be42c4adb8e3238b043ccd16466476607c
SSDEEP

3072:dBAp5XhKpN4eOyVTGfhEClj8jTk+0hB6Z66xSo9:YbXE9OiTGfhEClq9i6Mw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	844	WScript.exe
5	844	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\rhv\rhv\kust.txt	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\kokolok.txt	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1768	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	28
PID 956 wrote to memory of 1768	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	28
PID 956 wrote to memory of 1768	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	28
PID 956 wrote to memory of 1768	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	28
PID 956 wrote to memory of 844	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	30
PID 956 wrote to memory of 844	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	30
PID 956 wrote to memory of 844	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	30
PID 956 wrote to memory of 844	956	6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe	30

C:\Users\Admin\AppData\Local\Temp\6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe
"C:\Users\Admin\AppData\Local\Temp\6b7378a7adf81be5277494a8ed42c0aa515b00290932cb24f991400e394b94c6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\rhv\rhv\kokolok.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\rhv\rhv\kust.txt

Filesize
5B

MD5
052abf57dff9fa8e68dcadeca80ef1e9

SHA1
95952c9a592449ce9066131b58fed2daaa402c23

SHA256
92d6c70703603ae51d74dafe3c838ccb1cb675f9b0794159522910c02cf643b2

SHA512
7f8f3bd433fccde8860177a2726da0de52c76c7c41c4c2b0449068af519777ed0e114b79c558c2d4dcbdbcc49643a7f3bb5632c0002f8c7190bc7bc125ffcc0b

Download Submit
C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat

Filesize
6KB

MD5
58f6d82dcf4d8dee07fde10bcf72c362

SHA1
a9104d1d86b5a09f785010f5ecff5b311832d402

SHA256
b3fbd131c9057a66a62ed2781a448973995a179011d2f2e95fa5813073241d36

SHA512
f2723ba068375342373f4b1d8ae9590e32c51882cece68476b4250f4b3f0e215f1f16929065e81a888f7cc6002ee113ec54223cea613c32d78da422645888ac8

Download Submit
C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs

Filesize
1KB

MD5
ff32b57ee311b3301346e880b001eb54

SHA1
7014121444b7caeda38a22dbc541439a7710f4f0

SHA256
8723cb9a91eafc626a06ed92e2edea38be57660fa07a4af6d273c1ea336ab531

SHA512
91a629d3946644c200846fe68dcebecf505598f48086682f81e7893240a5ed5818a6af9105ac2e80c35b4f02655eddbeb05e560648cc2a2e2743d9c7d9b1b95c

Download Submit
memory/956-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download