da7997129263f41228f9bb5871d5cd89729bfe28e4bde1e3252fd3d5bed8523c

General

Target

82dca3c497740155201cc439e429daca.exe
Size

1.6MB
MD5

82dca3c497740155201cc439e429daca
SHA1

1140867caf5154b1643fc820a134254d6f7714b2
SHA256

da7997129263f41228f9bb5871d5cd89729bfe28e4bde1e3252fd3d5bed8523c
SHA512

321c19525f1a2b04d2f74537a632c336ad440cbe19ab915b8b3602357b2352e4a91e88d451f0b90c26ce21aaad72fb09a79d400afa7e937c56397f115164b7de
SSDEEP

24576:BKOM/uMQP600sErXzeeEqe9BXbSd90D0LcrBQgDON4PO/zFd2AynlN:C/uMQ90brjeeTAX6/gyN4W/zFd2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

Znrvkvjzhbwgtb.exeRvscjrede.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.exeZnrvkvjzhbwgtb.exe

pid	process
3008	Znrvkvjzhbwgtb.exe
384	Rvscjrede.exe
2668	Znrvkvjzhbwgtb.exe
2856	Znrvkvjzhbwgtb.exe
3036	Znrvkvjzhbwgtb.exe
2580	Znrvkvjzhbwgtb.exe
1688	Znrvkvjzhbwgtb.exe

Loads dropped DLL 7 IoCs

Processes:

82dca3c497740155201cc439e429daca.exeZnrvkvjzhbwgtb.exe

pid	process
2972	82dca3c497740155201cc439e429daca.exe
2972	82dca3c497740155201cc439e429daca.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Znrvkvjzhbwgtb.exe

pid	process
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe
3008	Znrvkvjzhbwgtb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Znrvkvjzhbwgtb.exe

description pid process

Token: SeDebugPrivilege 3008 Znrvkvjzhbwgtb.exe

description	pid	process
Token: SeDebugPrivilege	3008	Znrvkvjzhbwgtb.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

82dca3c497740155201cc439e429daca.exeZnrvkvjzhbwgtb.exe

description	pid	process	target process
PID 2972 wrote to memory of 3008	2972	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2972 wrote to memory of 3008	2972	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2972 wrote to memory of 3008	2972	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2972 wrote to memory of 3008	2972	82dca3c497740155201cc439e429daca.exe	Znrvkvjzhbwgtb.exe
PID 2972 wrote to memory of 384	2972	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2972 wrote to memory of 384	2972	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2972 wrote to memory of 384	2972	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 2972 wrote to memory of 384	2972	82dca3c497740155201cc439e429daca.exe	Rvscjrede.exe
PID 3008 wrote to memory of 2668	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2668	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2668	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2668	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2856	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2856	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2856	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2856	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2580	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2580	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2580	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 2580	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 3036	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 3036	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 3036	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 3036	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 1688	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 1688	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 1688	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe
PID 3008 wrote to memory of 1688	3008	Znrvkvjzhbwgtb.exe	Znrvkvjzhbwgtb.exe

C:\Users\Admin\AppData\Local\Temp\82dca3c497740155201cc439e429daca.exe
"C:\Users\Admin\AppData\Local\Temp\82dca3c497740155201cc439e429daca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
"C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe"
2⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
1⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
1⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
"C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe"
1⤵
- Executes dropped EXE
PID:2668

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
Filesize
86KB

MD5
cb3cc977dbd45863f9e30606e5f9dd7d

SHA1
3c4a9fcdb24f906bfb7ec6d391e607bb67f13e24

SHA256
7deb95547ce8d5c78c75151776ed9d5652aae1c992b4b593f00935c64bd7bb90

SHA512
a51087fcd5903f1f928f7fce7047f3fb5a68515ce43589a9187a449d9140f8fec9b319eaf233366e32e619e5dac46bda2962cf528ce590998845e8409c92bf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
Filesize
42KB

MD5
b085af0e4d04a365fc6c82513c767884

SHA1
5cff5904c118380bbe4abeb8c8b26d0a90c531db

SHA256
607461124209449214c0ac2692d79a0d4d05333bbc9fba98f976bb3122472570

SHA512
0a3e9eb03674e89fd742c621e387c221124436b72e4fa21f7bbb20c7ece8feb92c06bbd46e91e2ca014a573c3a3efe2329a40051506329334caadb1c931b6c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
682KB

MD5
ee11b56f08f564c29013caf41b567bbb

SHA1
2b591e906542ac034131ae5e6deee31e22c79958

SHA256
38199fe38695af4989ca59662ec707847a13a3413ea6128fcc4f7f8b58b76f5e

SHA512
f4497a64e113a917026676babaf744d3f82c62fce9667fe608e45d4346eceefc00e6c65fc80fdaed8da6a33575fa8c13770cdfb0709b09ae4d0ec2d2a3a208f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
153KB

MD5
071d99458d1e39270bdccf9e477624d5

SHA1
b70ba8851879e7963c8e7278f29e006d2eff6e20

SHA256
5d2aba1c4e2aabac799c2681b21025c026601464aaf6b15cc6147c9e7c548847

SHA512
965085e3f316e0a42dc14d23d12798c52f7ae7e3159b564a15b958e0aa0ff00f7624df19087ed8f054503206a4c646b8357df50b57d873b7daf5f8906e71af48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
1KB

MD5
155438515e92b2e59edd980c515ba76d

SHA1
f17c7d0da452d4d8fa201a12c5aba4ecac714b90

SHA256
09c8953b9c678d286f430373d76e75390251efa37264e35dfd1ecb0cb61c85a1

SHA512
1837239b52b2b2fb5479e10fceb09f5bb1c1853be2a8da618f33a55d768f6d0393f0f890081c1771e023331fb3deb5df6c5d625c0b9153671206c7f7e476fab0

Download Submit
\Users\Admin\AppData\Local\Temp\Rvscjrede.exe
Filesize
99KB

MD5
85cb304f1f9e566e5f34b8e8c3be4e94

SHA1
a03105d7b2f80d76a41197c7f50f45767aa47820

SHA256
ccdc5cedae802ea9b5c661d56874492172d53aa84294436ea0e1b4072c071a0b

SHA512
7b5070d04d829fa091b9be1c530caf467a6526dea2a196919c3292ee1d333ad87ecbcabc5dedbbb11208448d341ae784f538e25a13f57753ac17613e40b380da

Download Submit
\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
65KB

MD5
3aae39b9b61c8c5e534d45b2d113bf6a

SHA1
ca798c1bd564d5454143c162f3fa39288e93d400

SHA256
7699d1e75f1aab63495b5e13eaac445642649942b5ff59a9a349b4e5ebb47d84

SHA512
2914006c343527cae1d7f3a4e9761ed10c7aea3d9b0e3c6ccfa36e2f7b0dc7eb9540164d3dcb79ea2e399e363da8afb6d60d97b097e495a4b124b703808dbc2f

Download Submit
\Users\Admin\AppData\Local\Temp\Znrvkvjzhbwgtb.exe
Filesize
82KB

MD5
ea5a5905049e3896d1fe3bbb4bbbd92c

SHA1
7630877529d2c3963df2b963e0c0ab199ba1a7fb

SHA256
8dfcae4e7427985c36fa904f2ebfc38fe9600ee538c0dcd1cbb106e99532cc6e

SHA512
3f73e0502d7cf2f621fa28e2d03ade0799b43543f54196662aef3817e3043f0ee7b2e493c5af970e231428ba7adc27e1e3e7393bcb8d7995738cca41af4bcc7d

Download Submit
memory/384-21-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/384-23-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/384-35-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/384-19-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2972-29-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-0-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2972-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2972-1-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-20-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/3008-34-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-13-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-12-0x0000000000360000-0x0000000000410000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads