Analysis
-
max time kernel
217s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 11:26
Static task
static1
Behavioral task
behavioral1
Sample
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe
Resource
win7-20221111-en
General
-
Target
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe
-
Size
228KB
-
MD5
98f963b9d7225413ec18f48a473c1f40
-
SHA1
1272577d90b8d212416732e54258b136cbd2f3d3
-
SHA256
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c
-
SHA512
778b186ef6c85651bb722701ee77785aed3bd51048a3ecd12423779c8b1ac640eea61a85712ceb03be48916b8c20c587adc4ee9f625f3a4b96a442f9b550b579
-
SSDEEP
6144:QBn1yQEl9B3my7WMRNICK7WtIGpUv82m+mLZxhhO4+/:gnEl9Iy7zRNI7BGpU4L1J+/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nfvyobds.exepid process 584 nfvyobds.exe -
Loads dropped DLL 2 IoCs
Processes:
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exepid process 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exedescription pid process target process PID 688 wrote to memory of 584 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe nfvyobds.exe PID 688 wrote to memory of 584 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe nfvyobds.exe PID 688 wrote to memory of 584 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe nfvyobds.exe PID 688 wrote to memory of 584 688 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe nfvyobds.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe"C:\Users\Admin\AppData\Local\Temp\36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe"C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe" C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
memory/584-57-0x0000000000000000-mapping.dmp
-
memory/688-54-0x0000000075E81000-0x0000000075E83000-memory.dmpFilesize
8KB