3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c275ebd1005a313b20dd27ea739dcb.exe
Size

414KB
MD5

a0c275ebd1005a313b20dd27ea739dcb
SHA1

4c7fb52d3129f485919cf8dd2d8ea3f665e0a6b9
SHA256

3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d
SHA512

19746c6270d4e54827488b31fa856286e81370c124c2f99b6fddc07311b62baf8969f5bbe433c891f921771e2aa912ad79e5015b97d247600b13eb844c467e6b
SSDEEP

6144:PBnxm/hZudIIuLplWND4YOSAsRJVWMmH/w/dv4e6Hc+2u:LzdIZplW94YzAIJ0MT/ucPu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zgovbtz.exezgovbtz.exe

pid process

1116 zgovbtz.exe
284 zgovbtz.exe
Loads dropped DLL 5 IoCs

Processes:

a0c275ebd1005a313b20dd27ea739dcb.exezgovbtz.exeWerFault.exe

pid process

1468 a0c275ebd1005a313b20dd27ea739dcb.exe
1116 zgovbtz.exe
576 WerFault.exe
576 WerFault.exe
576 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zgovbtz.exe

description pid process target process

PID 1116 set thread context of 284 1116 zgovbtz.exe zgovbtz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

576 284 WerFault.exe zgovbtz.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zgovbtz.exe

pid process

1116 zgovbtz.exe
1116 zgovbtz.exe

pid	process
1116	zgovbtz.exe
284	zgovbtz.exe

pid	process
1468	a0c275ebd1005a313b20dd27ea739dcb.exe
1116	zgovbtz.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

description	pid	process	target process
PID 1116 set thread context of 284	1116	zgovbtz.exe	zgovbtz.exe

pid	pid_target	process	target process
576	284	WerFault.exe	zgovbtz.exe

pid	process
1116	zgovbtz.exe
1116	zgovbtz.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

a0c275ebd1005a313b20dd27ea739dcb.exezgovbtz.exezgovbtz.exe

description	pid	process	target process
PID 1468 wrote to memory of 1116	1468	a0c275ebd1005a313b20dd27ea739dcb.exe	zgovbtz.exe
PID 1468 wrote to memory of 1116	1468	a0c275ebd1005a313b20dd27ea739dcb.exe	zgovbtz.exe
PID 1468 wrote to memory of 1116	1468	a0c275ebd1005a313b20dd27ea739dcb.exe	zgovbtz.exe
PID 1468 wrote to memory of 1116	1468	a0c275ebd1005a313b20dd27ea739dcb.exe	zgovbtz.exe
PID 1116 wrote to memory of 284	1116	zgovbtz.exe	zgovbtz.exe
PID 1116 wrote to memory of 284	1116	zgovbtz.exe	zgovbtz.exe
PID 1116 wrote to memory of 284	1116	zgovbtz.exe	zgovbtz.exe
PID 1116 wrote to memory of 284	1116	zgovbtz.exe	zgovbtz.exe
PID 1116 wrote to memory of 284	1116	zgovbtz.exe	zgovbtz.exe
PID 284 wrote to memory of 576	284	zgovbtz.exe	WerFault.exe
PID 284 wrote to memory of 576	284	zgovbtz.exe	WerFault.exe
PID 284 wrote to memory of 576	284	zgovbtz.exe	WerFault.exe
PID 284 wrote to memory of 576	284	zgovbtz.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a0c275ebd1005a313b20dd27ea739dcb.exe
"C:\Users\Admin\AppData\Local\Temp\a0c275ebd1005a313b20dd27ea739dcb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe" C:\Users\Admin\AppData\Local\Temp\ahbdus.k
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
"C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 284 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahbdus.k
Filesize
5KB

MD5
533b564dd4c64c19e3b7d860f03801a6

SHA1
745a017c6f1e58a6b7bea787eb3a20597c17fb62

SHA256
25a5b8a00567719024844286427f3fd986a6f72b4ed826bbae58d882c20fd3cd

SHA512
e1450a5ea0156db8cb02f359964ba1d279fcd0b8e60c30b8b39b51771e7da0b823a39fa2edcd184bc00152612fa1ae50e1304e7a8fb337102f33455df6372ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnfoo.p
Filesize
185KB

MD5
0fd8fad06f5a97c481fbbb60828d686e

SHA1
eab488ae696a31dbd02c959662e356612d5c4c40

SHA256
e3a937e8170b273687231c76c7539d1282a6c904df8b44aa249fc52dd09ab518

SHA512
b1151c9a8ce0b516879afc6838cb453d68d820ec4743b731974291d402fa0f0416b515b489ee7758de6c975402bd78bb016e9d8342a849157cce4ebc904de7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
\Users\Admin\AppData\Local\Temp\zgovbtz.exe
Filesize
13KB

MD5
f15812c468166ad85fda4223195da140

SHA1
4ed0da8b9e738f3d08a0f00270e92a0539e32136

SHA256
ac7ebc8987bb3712e198213a0e1fd7f96608b488dc8602f094a7bf4bc0f38e04

SHA512
bfcf6d30f1efa8c0a6f8d500782a5b314b0ac811fa4b7a5ebcfb479ca302ca0d8de8fc2c827155def08750d11297974d081781d0dcd4badc01534eb5aaeebdaa

Download Submit
memory/284-63-0x00000000000DF0D0-mapping.dmp

Download
memory/576-65-0x0000000000000000-mapping.dmp

Download
memory/1116-56-0x0000000000000000-mapping.dmp

Download
memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download