32b25aa41ee05167c9c5f842ee118722f9f562008f5619d88da3a8592021ae6e

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 19:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a49924a6a0cfc4f55e5ddd505ce26aa1.exe
Size

268KB
MD5

a49924a6a0cfc4f55e5ddd505ce26aa1
SHA1

c9369e50820fdbf534849e7d6bae42b46286e0cd
SHA256

32b25aa41ee05167c9c5f842ee118722f9f562008f5619d88da3a8592021ae6e
SHA512

16b3eb880c8eaac013ab32de8a8c488b4e8d17346902dd24c0cf58e4aea391f036996934a661ab6990f9ca868fdd77f17dafbf28ea4eae93fef69236e75aabd8
SSDEEP

3072:NE4raqnywSksPUTVY7fhINP7JbfLBsyVEJ8Ixjtmkp44upWuTNgX8Tjee/L1pvQu:qMmsgfuNPp5VEVtmk4DAuTxeOx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a49924a6a0cfc4f55e5ddd505ce26aa1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rvbiop.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	rvbiop.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe
1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /v"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /s"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /i"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /d"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /k"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /s"	a49924a6a0cfc4f55e5ddd505ce26aa1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /x"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /w"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /h"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /r"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /q"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /u"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /m"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /g"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /f"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /c"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /b"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /a"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /n"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /y"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /o"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /z"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /e"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /t"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /p"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /j"	rvbiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvbiop = "C:\\Users\\Admin\\rvbiop.exe /l"	rvbiop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe
2800	rvbiop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe
2800	rvbiop.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2800	1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe	28
PID 1968 wrote to memory of 2800	1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe	28
PID 1968 wrote to memory of 2800	1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe	28
PID 1968 wrote to memory of 2800	1968	a49924a6a0cfc4f55e5ddd505ce26aa1.exe	28

C:\Users\Admin\AppData\Local\Temp\a49924a6a0cfc4f55e5ddd505ce26aa1.exe
"C:\Users\Admin\AppData\Local\Temp\a49924a6a0cfc4f55e5ddd505ce26aa1.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\rvbiop.exe
  "C:\Users\Admin\rvbiop.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\rvbiop.exe

Filesize
20KB

MD5
701824c1daca5611e98e95aa60f89924

SHA1
1bfa08c0b9dec3d34fb4814645e5d0f2e234cd93

SHA256
93492c24a4f3c6d5b355e2e1badce8809f20093a8b4397c2df657c88f8403e0e

SHA512
0cd64482002e4e4dea2b5f9df0aeebf128536662e7ae146b5860acd8f735a2d73739acce3eae086cfc9f56bef350b8b0c80932319e49b3e534680b21b582c7fd

Download Submit
C:\Users\Admin\rvbiop.exe

Filesize
56KB

MD5
3a38b3f5abe171bdc565a59101c09ec3

SHA1
3615006e32131983d5cc14aee51c099ab0042864

SHA256
728fbfc2a31d0620281defadb56479423c7ebd3ac4271597bd7bb73a95c9dee6

SHA512
5c71a659d9878b0118e8f1646f7693dde2aa916757feab3f765b30b7037f785cab70c3cb2f81ca4d3a250828ae92e0f79d39213ab1f6e1c184be5af98d68501e

Download Submit
C:\Users\Admin\rvbiop.exe

Filesize
48KB

MD5
5d63bc939a7432923531e0d78a5694ba

SHA1
3ca8a4ef44c960118a6dc12a1a8c462a72cb83f5

SHA256
00eb733e85be468b71039bfd7057361d7cf5d1a418f1ae9d83dffdee67b26b16

SHA512
f812bfea50e09393bba05112e12f9085d52dcf4ab527dbce581b24e979c7e16662d9523a4e349831fbd75337b9a80dcea8d18f290eb7aedf3406c1176a2b8e76

Download Submit
\Users\Admin\rvbiop.exe

Filesize
44KB

MD5
9e5823ebd5fe76ec38c718400e42f8fb

SHA1
6b54c17d875d14a2e4ccc3ce635d2a0be9d9cd86

SHA256
618454b0310821af2eb5f5584bed773050de8bb68edafd299047a9d1c30ed0cd

SHA512
06b90be17008a1aaedf797ba514fd91dbb18d364465a28146c89bfc5924af30e0185d51224af211f3d5af7d6f50cb624a05a9fa0f88a0d3ab5cb509fcbea9634

Download Submit
\Users\Admin\rvbiop.exe

Filesize
28KB

MD5
770a58cff6da5f97f321808220bb176b

SHA1
24be609fd13ab91c8b286d9af47d8063b5ebecb0

SHA256
f7567badea9a6c5754ad9efd95c3f03fbb2049f8479382e81518942a078d8098

SHA512
64d3692f332dffe09ef8ad9955e4b5f596b5eae347c1753b80da84ab6288d15ca7f379b57d87d88b1357dc31b52ef2afd93462dbf6dc281bb9a4487923699e2b

Download Submit