Analysis
-
max time kernel
189s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 18:35
Static task
static1
Behavioral task
behavioral1
Sample
a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
Resource
win10v2004-20221111-en
General
-
Target
a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
-
Size
196KB
-
MD5
a426ba5d126ddde014ed21f3d9389557
-
SHA1
eebf33d738fe11666dafdf069bf16b943ebf6cb4
-
SHA256
a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576
-
SHA512
15b13e58743020c9c42c67dcd77dd180cb830e42af141b31e111e98b2c68ef7805dcbc792bc014738f9d57ad73070844382bc9a5f078a02de56c9d84517a204e
-
SSDEEP
3072:emNGXPOxpg/3vjLXm0zMr+kdKgezl0Km6g63B5Fu+TsuZfq:H3g/3vHm0zMqhbBRwuZC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4432 nrvrlb.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\zpzuw\\command nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\zpzuw nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\zpzuw nrvrlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell nrvrlb.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3816 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1672 wrote to memory of 3136 1672 a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe 81 PID 1672 wrote to memory of 3136 1672 a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe 81 PID 1672 wrote to memory of 3136 1672 a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe 81 PID 3136 wrote to memory of 4432 3136 cmd.exe 83 PID 3136 wrote to memory of 4432 3136 cmd.exe 83 PID 3136 wrote to memory of 4432 3136 cmd.exe 83 PID 3136 wrote to memory of 3816 3136 cmd.exe 84 PID 3136 wrote to memory of 3816 3136 cmd.exe 84 PID 3136 wrote to memory of 3816 3136 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe"C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trzkvbw.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe"C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe"3⤵
- Executes dropped EXE
- Modifies registry class
PID:4432
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5408b49c95999324084eac3934d46478b
SHA1db30949ad797fbae725315753e62e4c2fdd1a22f
SHA2560e80ad8c6d598913fbef94177545e405691dd7f891820b44699f25e211774e5a
SHA512f6fb019fe81b797e5cdd3547b665de1f9e742dd99c2d29b8f84456bb753bbebeca9bc3cb971c7a29cefde18e07b5ae20c566708b925aac4e1634835854315658
-
Filesize
148KB
MD5408b49c95999324084eac3934d46478b
SHA1db30949ad797fbae725315753e62e4c2fdd1a22f
SHA2560e80ad8c6d598913fbef94177545e405691dd7f891820b44699f25e211774e5a
SHA512f6fb019fe81b797e5cdd3547b665de1f9e742dd99c2d29b8f84456bb753bbebeca9bc3cb971c7a29cefde18e07b5ae20c566708b925aac4e1634835854315658
-
Filesize
188B
MD5b5fbdd92db4dc9ca105d3ad3e1979e97
SHA185c247fee58f400bf1fd140b4dd17a4e60327e91
SHA256aa2fb31577cb8fa238cdd4b23441354bf4cdedeb44b2719dd315fafbd067e292
SHA512c48d71ae4e6a9a0a64b9dd0948810869417491d270fedebee5eb59d20ce155f0166883203b360a73fa2af75a1d099eaa1390770614af99cc9b8c5ff4828a8f9b
-
Filesize
124B
MD536b2e5aa2c9113c69cc44444aa07a2af
SHA13e5c8f56960ee073949f073632a70fc647d4774b
SHA256140397326611145fb59350ed1abb7a15b05bd35c07db126d5769eeab0202811a
SHA51258a92e0475baf7d4d9023d5ae8ff28c872bdefe3617cfcd10641092d7ac7359ed5a312e163d84373cf4b9bf768a2fc1b62e1a8f713597e7922802c669bf1bc34