a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576

Analysis

max time kernel
189s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
Size

196KB
MD5

a426ba5d126ddde014ed21f3d9389557
SHA1

eebf33d738fe11666dafdf069bf16b943ebf6cb4
SHA256

a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576
SHA512

15b13e58743020c9c42c67dcd77dd180cb830e42af141b31e111e98b2c68ef7805dcbc792bc014738f9d57ad73070844382bc9a5f078a02de56c9d84517a204e
SSDEEP

3072:emNGXPOxpg/3vjLXm0zMr+kdKgezl0Km6g63B5Fu+TsuZfq:H3g/3vHm0zMqhbBRwuZC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4432	nrvrlb.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\zpzuw\\command	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\zpzuw	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\zpzuw	nrvrlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	nrvrlb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3816	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3136	1672	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	81
PID 1672 wrote to memory of 3136	1672	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	81
PID 1672 wrote to memory of 3136	1672	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	81
PID 3136 wrote to memory of 4432	3136	cmd.exe	83
PID 3136 wrote to memory of 4432	3136	cmd.exe	83
PID 3136 wrote to memory of 4432	3136	cmd.exe	83
PID 3136 wrote to memory of 3816	3136	cmd.exe	84
PID 3136 wrote to memory of 3816	3136	cmd.exe	84
PID 3136 wrote to memory of 3816	3136	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
"C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\trzkvbw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe
    "C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4432
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe

Filesize
148KB

MD5
408b49c95999324084eac3934d46478b

SHA1
db30949ad797fbae725315753e62e4c2fdd1a22f

SHA256
0e80ad8c6d598913fbef94177545e405691dd7f891820b44699f25e211774e5a

SHA512
f6fb019fe81b797e5cdd3547b665de1f9e742dd99c2d29b8f84456bb753bbebeca9bc3cb971c7a29cefde18e07b5ae20c566708b925aac4e1634835854315658

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrvrlb.exe

Filesize
148KB

MD5
408b49c95999324084eac3934d46478b

SHA1
db30949ad797fbae725315753e62e4c2fdd1a22f

SHA256
0e80ad8c6d598913fbef94177545e405691dd7f891820b44699f25e211774e5a

SHA512
f6fb019fe81b797e5cdd3547b665de1f9e742dd99c2d29b8f84456bb753bbebeca9bc3cb971c7a29cefde18e07b5ae20c566708b925aac4e1634835854315658

Download Submit
C:\Users\Admin\AppData\Local\Temp\swfigb.bat

Filesize
188B

MD5
b5fbdd92db4dc9ca105d3ad3e1979e97

SHA1
85c247fee58f400bf1fd140b4dd17a4e60327e91

SHA256
aa2fb31577cb8fa238cdd4b23441354bf4cdedeb44b2719dd315fafbd067e292

SHA512
c48d71ae4e6a9a0a64b9dd0948810869417491d270fedebee5eb59d20ce155f0166883203b360a73fa2af75a1d099eaa1390770614af99cc9b8c5ff4828a8f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\trzkvbw.bat

Filesize
124B

MD5
36b2e5aa2c9113c69cc44444aa07a2af

SHA1
3e5c8f56960ee073949f073632a70fc647d4774b

SHA256
140397326611145fb59350ed1abb7a15b05bd35c07db126d5769eeab0202811a

SHA512
58a92e0475baf7d4d9023d5ae8ff28c872bdefe3617cfcd10641092d7ac7359ed5a312e163d84373cf4b9bf768a2fc1b62e1a8f713597e7922802c669bf1bc34

Download Submit