2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54

Analysis

max time kernel
102s
max time network
112s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe
Size

164KB
MD5

73e528627d92ef4353b1fe1747fe7396
SHA1

9c611a3abc95efc559d0b230d4bf70318b9953b4
SHA256

2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54
SHA512

153f5951b0d6bda3afe8225d2eb6c2c0b822a58b013051a01b8d28c146154c349cbd878a63047ef73fb64397add3783884ada94d6b332122344a17bb7e8875f1
SSDEEP

3072:2BAp5XhKpN4eOyVTGfhEClj8jTk+0hUlYJxp5++++++++H+++++++0G:tbXE9OiTGfhEClq99s5++++++++H+++r

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1180	WScript.exe
5	1180	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\kust.txt	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe
File opened for modification	C:\Program Files (x86)\rhv\rhv\kokolok.txt	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 472	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	28
PID 1252 wrote to memory of 472	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	28
PID 1252 wrote to memory of 472	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	28
PID 1252 wrote to memory of 472	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	28
PID 1252 wrote to memory of 1180	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	30
PID 1252 wrote to memory of 1180	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	30
PID 1252 wrote to memory of 1180	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	30
PID 1252 wrote to memory of 1180	1252	2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe	30

C:\Users\Admin\AppData\Local\Temp\2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe
"C:\Users\Admin\AppData\Local\Temp\2f4959abf1dbf0873f6ae69964ad3716bd3637b1a01b9a6c245cb731dba0ce54.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\rhv\rhv\kokolok.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\rhv\rhv\kust.txt

Filesize
5B

MD5
b2314fc8a64851b217f2813f16d67dc1

SHA1
4ae619701ecf0499738a2d1618d7b8259f680afb

SHA256
d53699594b57de27ad96ba4ff046cfdec8fd995f4a55851dc2b123ab1ad7dfe8

SHA512
8c5a78ddfbbaab6eadabcd48863cb88f66fb61f489c8d47709e1a1c73567c4a960cafd6753bfaec62e9e45258aca17cb0003fb7b3105e58cf38a16b6552d1e8f

Download Submit
C:\Program Files (x86)\rhv\rhv\na1111111111111ki.bat

Filesize
6KB

MD5
4a6b7292540af8e5968e2020f6548438

SHA1
3d124b0de8499f90bcbd01415f6930f300ba2980

SHA256
edc6438e321ae398b6b8921bc85ed50c75020611dd7ba1f8a94935feb55ab190

SHA512
b5e1e9cc3628977d5a4ada1bfce5dad6df65605fcc0bf71b95de0726679e98aa7c73f3228e570293afda5a4cdfe1faec86f9f96c55bd792576db5a6ec9dcf3ca

Download Submit
C:\Program Files (x86)\rhv\rhv\no111111111ri.vbs

Filesize
1KB

MD5
ff32b57ee311b3301346e880b001eb54

SHA1
7014121444b7caeda38a22dbc541439a7710f4f0

SHA256
8723cb9a91eafc626a06ed92e2edea38be57660fa07a4af6d273c1ea336ab531

SHA512
91a629d3946644c200846fe68dcebecf505598f48086682f81e7893240a5ed5818a6af9105ac2e80c35b4f02655eddbeb05e560648cc2a2e2743d9c7d9b1b95c

Download Submit
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download