85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30571d64c9a9ed267159fa941a20840c.exe
Size

272KB
MD5

30571d64c9a9ed267159fa941a20840c
SHA1

bfb81d8a7c94781b3bd939bd17d500ae61b2ff70
SHA256

85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5
SHA512

5c8b708f3540b9347c36722934c8fc56098a94f8362688a8fa712da99e1b8c2564698eb0bed52e226cdfc40cf8b762e1860f6ea9928260e3f0f35bba9cfda82f
SSDEEP

6144:QBn10/UR088uiPuDtJWn42Isu/20+kfAZLrYdwMPTnDMiQH7oPo9:gWLuiPh4rZOH5ZL/MLn4REo9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hvbvmxm.exe

pid process

2044 hvbvmxm.exe
Loads dropped DLL 1 IoCs

Processes:

30571d64c9a9ed267159fa941a20840c.exe

pid process

2016 30571d64c9a9ed267159fa941a20840c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2044	hvbvmxm.exe

pid	process
2016	30571d64c9a9ed267159fa941a20840c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

30571d64c9a9ed267159fa941a20840c.exe

description	pid	process	target process
PID 2016 wrote to memory of 2044	2016	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 2016 wrote to memory of 2044	2016	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 2016 wrote to memory of 2044	2016	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 2016 wrote to memory of 2044	2016	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe

C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe
"C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
"C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe" C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
2⤵
- Executes dropped EXE
PID:2044

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download