525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce

Analysis

max time kernel
190s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe
Size

167KB
MD5

657be927db12ff12b3b21f333139a214
SHA1

478032cadfadf385ff12a2ed6442830cff61bded
SHA256

525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce
SHA512

2ed135d43646b1cfb9615c05ff0298e167b690ffff88dd5ce3282cf99829253f50a056dda0989f228600781cda603cbbac29d341a262a3dad90afc6426172eed
SSDEEP

3072:9YP2XerzhOUxu/XUtauOHgriEJPKuS/6mT4:9u2urzh9xu/XkauOArrUu/t

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3636	i.exe
3032	f.exe
4100	nvvtray.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	i.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe	f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe	f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe
4100	nvvtray.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3636	4452	525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe	86
PID 4452 wrote to memory of 3636	4452	525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe	86
PID 4452 wrote to memory of 3636	4452	525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe	86
PID 3636 wrote to memory of 3032	3636	i.exe	87
PID 3636 wrote to memory of 3032	3636	i.exe	87
PID 3636 wrote to memory of 3032	3636	i.exe	87
PID 3032 wrote to memory of 4784	3032	f.exe	88
PID 3032 wrote to memory of 4784	3032	f.exe	88
PID 3032 wrote to memory of 4784	3032	f.exe	88
PID 3032 wrote to memory of 4100	3032	f.exe	90
PID 3032 wrote to memory of 4100	3032	f.exe	90
PID 3032 wrote to memory of 4100	3032	f.exe	90

C:\Users\Admin\AppData\Local\Temp\525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe
"C:\Users\Admin\AppData\Local\Temp\525561244522246a144a2a315e6cc6c42b85783691262baacf7ff30e256214ce.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\i.exe
  "C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\f.exe
    "C:\Users\Admin\AppData\Local\Temp\f.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C echo>"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe:Zone.Identifier"
      4⤵
      Drops startup file
      PID:4784
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
48KB

MD5
60b13ecdf6889b3de9a4d57552b75248

SHA1
12e3b4801e4be6ce0ed426e58e83581d41066250

SHA256
8324d97c09c98dae052e36578712fc8c2250d46fe99738917f68d38c77b8e764

SHA512
52b2809d0d80acec9a4fb403f5d80fb3b7d3cda22a54c97a693f04b244a29d16fecea76266167f4eb7f86d86c49b3a7b5e92601991605f521203e2d1ed081a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
48KB

MD5
60b13ecdf6889b3de9a4d57552b75248

SHA1
12e3b4801e4be6ce0ed426e58e83581d41066250

SHA256
8324d97c09c98dae052e36578712fc8c2250d46fe99738917f68d38c77b8e764

SHA512
52b2809d0d80acec9a4fb403f5d80fb3b7d3cda22a54c97a693f04b244a29d16fecea76266167f4eb7f86d86c49b3a7b5e92601991605f521203e2d1ed081a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\i.exe

Filesize
114KB

MD5
e10f28f542b7321f171feda54dc9c59f

SHA1
5f73f6b5bfc97dc723615b0eabc64baeaaa79eb1

SHA256
e5a871336504bc7a8a35baef797e7bc0d94b2642fe14ed7d0217f417a87c9d1a

SHA512
e86a330027562e1917a05be8fe584b8f1fa2847a8241735c59b82b7499fea0a84364a98c5c889427ef44f721dc53d9a2239ceab1849e7c64bc1b5fd53f4273aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i.exe

Filesize
114KB

MD5
e10f28f542b7321f171feda54dc9c59f

SHA1
5f73f6b5bfc97dc723615b0eabc64baeaaa79eb1

SHA256
e5a871336504bc7a8a35baef797e7bc0d94b2642fe14ed7d0217f417a87c9d1a

SHA512
e86a330027562e1917a05be8fe584b8f1fa2847a8241735c59b82b7499fea0a84364a98c5c889427ef44f721dc53d9a2239ceab1849e7c64bc1b5fd53f4273aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe

Filesize
48KB

MD5
60b13ecdf6889b3de9a4d57552b75248

SHA1
12e3b4801e4be6ce0ed426e58e83581d41066250

SHA256
8324d97c09c98dae052e36578712fc8c2250d46fe99738917f68d38c77b8e764

SHA512
52b2809d0d80acec9a4fb403f5d80fb3b7d3cda22a54c97a693f04b244a29d16fecea76266167f4eb7f86d86c49b3a7b5e92601991605f521203e2d1ed081a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvvtray.exe

Filesize
48KB

MD5
60b13ecdf6889b3de9a4d57552b75248

SHA1
12e3b4801e4be6ce0ed426e58e83581d41066250

SHA256
8324d97c09c98dae052e36578712fc8c2250d46fe99738917f68d38c77b8e764

SHA512
52b2809d0d80acec9a4fb403f5d80fb3b7d3cda22a54c97a693f04b244a29d16fecea76266167f4eb7f86d86c49b3a7b5e92601991605f521203e2d1ed081a0e

Download Submit