e5c92201b021ea0cde8a889902f2404c100a903a862be17e7a387d331446f83f

General

Target

6b0d6dbf9d6a411d35b250595cff4b3f.exe
Size

212KB
MD5

6b0d6dbf9d6a411d35b250595cff4b3f
SHA1

22e3dfe9ff7968f143237d90aeb6bf51de0ecc59
SHA256

e5c92201b021ea0cde8a889902f2404c100a903a862be17e7a387d331446f83f
SHA512

64a3072be6c8203b6f031c738c50d0b21ca8323ac444fa0907bf7fbb3bae7cec8f50b7b5a03b23047eee4638d6a9de91c99738611e88db57da7f079944105732
SSDEEP

6144:iDpla3f0AQ2Zm63AEGLozFsKxrxiHMTYTzxxjXPfp:iDplahvMLozFJ0FX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	rvgfeov.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	cmd.exe
2744	cmd.exe
2824	rvgfeov.exe
2824	rvgfeov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2244	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2664	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	rvgfeov.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2824	rvgfeov.exe
2824	rvgfeov.exe
2824	rvgfeov.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2824	rvgfeov.exe
2824	rvgfeov.exe
2824	rvgfeov.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2744	2484	6b0d6dbf9d6a411d35b250595cff4b3f.exe	30
PID 2484 wrote to memory of 2744	2484	6b0d6dbf9d6a411d35b250595cff4b3f.exe	30
PID 2484 wrote to memory of 2744	2484	6b0d6dbf9d6a411d35b250595cff4b3f.exe	30
PID 2484 wrote to memory of 2744	2484	6b0d6dbf9d6a411d35b250595cff4b3f.exe	30
PID 2744 wrote to memory of 2244	2744	cmd.exe	28
PID 2744 wrote to memory of 2244	2744	cmd.exe	28
PID 2744 wrote to memory of 2244	2744	cmd.exe	28
PID 2744 wrote to memory of 2244	2744	cmd.exe	28
PID 2744 wrote to memory of 2664	2744	cmd.exe	32
PID 2744 wrote to memory of 2664	2744	cmd.exe	32
PID 2744 wrote to memory of 2664	2744	cmd.exe	32
PID 2744 wrote to memory of 2664	2744	cmd.exe	32
PID 2744 wrote to memory of 2824	2744	cmd.exe	33
PID 2744 wrote to memory of 2824	2744	cmd.exe	33
PID 2744 wrote to memory of 2824	2744	cmd.exe	33
PID 2744 wrote to memory of 2824	2744	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6b0d6dbf9d6a411d35b250595cff4b3f.exe
"C:\Users\Admin\AppData\Local\Temp\6b0d6dbf9d6a411d35b250595cff4b3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2484 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6b0d6dbf9d6a411d35b250595cff4b3f.exe" & start C:\Users\Admin\AppData\Local\rvgfeov.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2664
- - C:\Users\Admin\AppData\Local\rvgfeov.exe
    C:\Users\Admin\AppData\Local\rvgfeov.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2484
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-0-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2484-1-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2484-2-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2484-6-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/2484-5-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2484-3-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2484-8-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2484-7-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-14-0x00000000002B0000-0x00000000002D9000-memory.dmp

Filesize
164KB

Download
memory/2824-20-0x0000000000470000-0x000000000054B000-memory.dmp

Filesize
876KB

Download
memory/2824-19-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/2824-18-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-17-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-15-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2824-22-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2824-24-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-26-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2824-25-0x00000000002B0000-0x00000000002D9000-memory.dmp

Filesize
164KB

Download
memory/2824-28-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-30-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-31-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-32-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-33-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-34-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-35-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/2824-36-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing