cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
Size

208KB
MD5

f855c6aeca4075998a9f52e8e0062142
SHA1

607be2097978a701e92897d69525498b042510e0
SHA256

cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8
SHA512

e07642edaa099df028516f8e5ae6ab0e76fff4cd7ac81b10f5d4a8606e1a627f1bcd3ffa9fa687baca883cd7368b074532907a3a8fae507a32fd12b8b9ff1bd5
SSDEEP

6144:vz7XlhJHu9CBoQvCY5q9IoqIEgeTwQEj9:77xDGC3geMQS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2796	MVN.exe
2792	ONPAICQ.exe
2696	NBYDIE.exe
2480	VTYP.exe
2864	BRDKCM.exe
852	GWARC.exe

Loads dropped DLL 10 IoCs

pid	Process
2376	cmd.exe
2376	cmd.exe
2892	cmd.exe
2892	cmd.exe
3020	cmd.exe
3020	cmd.exe
2716	cmd.exe
2716	cmd.exe
1624	cmd.exe
1624	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\GWARC.exe	BRDKCM.exe
File opened for modification	C:\windows\SysWOW64\GWARC.exe	BRDKCM.exe
File created	C:\windows\SysWOW64\GWARC.exe.bat	BRDKCM.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\windows\ONPAICQ.exe	MVN.exe
File opened for modification	C:\windows\system\VTYP.exe	NBYDIE.exe
File created	C:\windows\system\VTYP.exe	NBYDIE.exe
File created	C:\windows\system\NBYDIE.exe	ONPAICQ.exe
File opened for modification	C:\windows\system\NBYDIE.exe	ONPAICQ.exe
File created	C:\windows\system\NBYDIE.exe.bat	ONPAICQ.exe
File opened for modification	C:\windows\ONPAICQ.exe	MVN.exe
File created	C:\windows\system\VTYP.exe.bat	NBYDIE.exe
File created	C:\windows\system\BRDKCM.exe	VTYP.exe
File opened for modification	C:\windows\system\BRDKCM.exe	VTYP.exe
File created	C:\windows\system\MVN.exe	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
File opened for modification	C:\windows\system\MVN.exe	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
File created	C:\windows\system\MVN.exe.bat	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
File created	C:\windows\ONPAICQ.exe.bat	MVN.exe
File created	C:\windows\system\BRDKCM.exe.bat	VTYP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
2796	MVN.exe
2792	ONPAICQ.exe
2696	NBYDIE.exe
2480	VTYP.exe
2864	BRDKCM.exe
852	GWARC.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
2796	MVN.exe
2796	MVN.exe
2792	ONPAICQ.exe
2792	ONPAICQ.exe
2696	NBYDIE.exe
2696	NBYDIE.exe
2480	VTYP.exe
2480	VTYP.exe
2864	BRDKCM.exe
2864	BRDKCM.exe
852	GWARC.exe
852	GWARC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2376	2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	28
PID 2240 wrote to memory of 2376	2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	28
PID 2240 wrote to memory of 2376	2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	28
PID 2240 wrote to memory of 2376	2240	cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe	28
PID 2376 wrote to memory of 2796	2376	cmd.exe	30
PID 2376 wrote to memory of 2796	2376	cmd.exe	30
PID 2376 wrote to memory of 2796	2376	cmd.exe	30
PID 2376 wrote to memory of 2796	2376	cmd.exe	30
PID 2796 wrote to memory of 2680	2796	MVN.exe	31
PID 2796 wrote to memory of 2680	2796	MVN.exe	31
PID 2796 wrote to memory of 2680	2796	MVN.exe	31
PID 2796 wrote to memory of 2680	2796	MVN.exe	31
PID 2680 wrote to memory of 2792	2680	cmd.exe	33
PID 2680 wrote to memory of 2792	2680	cmd.exe	33
PID 2680 wrote to memory of 2792	2680	cmd.exe	33
PID 2680 wrote to memory of 2792	2680	cmd.exe	33
PID 2792 wrote to memory of 2892	2792	ONPAICQ.exe	34
PID 2792 wrote to memory of 2892	2792	ONPAICQ.exe	34
PID 2792 wrote to memory of 2892	2792	ONPAICQ.exe	34
PID 2792 wrote to memory of 2892	2792	ONPAICQ.exe	34
PID 2892 wrote to memory of 2696	2892	cmd.exe	36
PID 2892 wrote to memory of 2696	2892	cmd.exe	36
PID 2892 wrote to memory of 2696	2892	cmd.exe	36
PID 2892 wrote to memory of 2696	2892	cmd.exe	36
PID 2696 wrote to memory of 3020	2696	NBYDIE.exe	37
PID 2696 wrote to memory of 3020	2696	NBYDIE.exe	37
PID 2696 wrote to memory of 3020	2696	NBYDIE.exe	37
PID 2696 wrote to memory of 3020	2696	NBYDIE.exe	37
PID 3020 wrote to memory of 2480	3020	cmd.exe	39
PID 3020 wrote to memory of 2480	3020	cmd.exe	39
PID 3020 wrote to memory of 2480	3020	cmd.exe	39
PID 3020 wrote to memory of 2480	3020	cmd.exe	39
PID 2480 wrote to memory of 2716	2480	VTYP.exe	40
PID 2480 wrote to memory of 2716	2480	VTYP.exe	40
PID 2480 wrote to memory of 2716	2480	VTYP.exe	40
PID 2480 wrote to memory of 2716	2480	VTYP.exe	40
PID 2716 wrote to memory of 2864	2716	cmd.exe	42
PID 2716 wrote to memory of 2864	2716	cmd.exe	42
PID 2716 wrote to memory of 2864	2716	cmd.exe	42
PID 2716 wrote to memory of 2864	2716	cmd.exe	42
PID 2864 wrote to memory of 1624	2864	BRDKCM.exe	43
PID 2864 wrote to memory of 1624	2864	BRDKCM.exe	43
PID 2864 wrote to memory of 1624	2864	BRDKCM.exe	43
PID 2864 wrote to memory of 1624	2864	BRDKCM.exe	43
PID 1624 wrote to memory of 852	1624	cmd.exe	45
PID 1624 wrote to memory of 852	1624	cmd.exe	45
PID 1624 wrote to memory of 852	1624	cmd.exe	45
PID 1624 wrote to memory of 852	1624	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe
"C:\Users\Admin\AppData\Local\Temp\cf8d3d1bd0b465c7a232958b097ed0ea344e6ed93b0e31939896c4f5b84eede8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\MVN.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\windows\system\MVN.exe
    C:\windows\system\MVN.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\ONPAICQ.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\windows\ONPAICQ.exe
        
        C:\windows\ONPAICQ.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\NBYDIE.exe.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\windows\system\NBYDIE.exe
        
        C:\windows\system\NBYDIE.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VTYP.exe.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\windows\system\VTYP.exe
        
        C:\windows\system\VTYP.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\BRDKCM.exe.bat" "
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\windows\system\BRDKCM.exe
        
        C:\windows\system\BRDKCM.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GWARC.exe.bat" "
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\windows\SysWOW64\GWARC.exe
        
        C:\windows\system32\GWARC.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ONPAICQ.exe

Filesize
208KB

MD5
16902fa45e809f51bc37c58a701a0851

SHA1
a9cd6312928cc770abfb79a76c9314b7b75b2659

SHA256
518e74d8aa15c7258a2658a587017bad2b3330d712f84d36ccb45632b74df13a

SHA512
1fa3da567d54bab23790a1f63a826c9da1e34d424b0461ff9f19105078f2e53c18e1a47fcb65d57eecb6bcd0ee16e29f129777100c36a3bcec0112052f6356cb

Download Submit
C:\Windows\ONPAICQ.exe.bat

Filesize
60B

MD5
fdad2578575489b4698e0e632776b647

SHA1
3df07c46399ab6625988d7b907906ae268e8c384

SHA256
f4a5e65bf0aaaca30a90454917637aae76769b4ee9fbb50cd8d7b79e2ed215a6

SHA512
962480d16d8bc6afed0e828f00ab13ce5c0760a77b3cb41836a27646e2cb92c7c8605a17305497598ffda27ed5cf97eda2285696d613f669ab0540117d3be975

Download Submit
C:\Windows\SysWOW64\GWARC.exe.bat

Filesize
74B

MD5
d6f622b4a5b1d7969d87f3e67135b8b5

SHA1
70dbb10ba70afa765a54f169c4dfff1516988cef

SHA256
f8aaee662afa409e3159b1f757a1fca16e7693f859e6d155bdcf0ca15f99edaf

SHA512
9fedd9559ea82094ab3edb87aec5d823ec6dee9880a2cb87edf033092970353137f45ac8444c8cf3c93bffe4c59fb29e5523ed1c94faaa41500b56323e4ace38

Download Submit
C:\Windows\system\BRDKCM.exe.bat

Filesize
72B

MD5
727a27ec94a40afe47fa72e34d6f3b9e

SHA1
e3d902f7d0230ffd04750869f60f3540d8ce2a3f

SHA256
69067e695b367601a89e45f370a9b1b999b32449d1dcbbb722e42dfa88c5bc16

SHA512
39043ed6d674fb27e8f3d1cf964b055b15be88693b2025a05614006473fc933be75088827de7e3a43c7524512976d84fb451d79ceecb0d9643fdba14bb17f333

Download Submit
C:\Windows\system\MVN.exe.bat

Filesize
66B

MD5
5e8f1ed98ed45b824685014d23a176a4

SHA1
22ff010c73045fe8ae7939fe79fe64b3301ff851

SHA256
2e153e78f7e9d4db1de5549c60705c201e1fadefbf3e05b0461d401aaa6bf363

SHA512
874303409058fc047a7621fe7a5f0458b3284bfba7acbe0e43260f7734e3eae7481f714608156a5094374f8b1b0a42aa53c6bd0821e8f37ff38a130ba7209bca

Download Submit
C:\Windows\system\NBYDIE.exe.bat

Filesize
72B

MD5
4d8c3274891638185e174cd7cee5e912

SHA1
e9921a66b704ecc52daed395ad1f986222322b9f

SHA256
02d071d85bc7034c66ae03a9f543d998369bb5bff885f89531075d4896cb76aa

SHA512
f601f5c01a35b2f201621f13a75b2f18a1f725073db9f36c4f72e3dd68608e0f2e71812495761fc3a6fd382c97589147d3be51891b5a8e97ad86ca583667542b

Download Submit
C:\Windows\system\VTYP.exe

Filesize
208KB

MD5
d57dbd394e2be5dd4f501f6c3d47337a

SHA1
7d71f71dd0c68cbcfa759b58057ad34c1fdea84b

SHA256
c7e150baa86d20d5ee5b31198f742113e5a6571ac0c42da0cf12ba7fb177c2d2

SHA512
443c03d6b6bf1de303651405c48ca7a1c73623c85518be83c01e75e3b0e4c019faa567e4e045854572a19ac41ba5e6df9c4928b23081ee4d96b31b8d5c938bc2

Download Submit
C:\Windows\system\VTYP.exe.bat

Filesize
68B

MD5
0a44328318e59ece8aa59fc0c4278de1

SHA1
b8d1cfa12fa54ba72d66e363d5c632d1e2c3eb2a

SHA256
57faba33fbf660568c2b9f6047ff3ef219aa1bd8ee18e527a60508882dfe6bae

SHA512
d3f79f138d47b08011a92153851e379860b5b2deb97eacd2525c67b91458bf0f127f80e672a66f2cdbe06727de53a2f2cee56a8b20bbc8a7c03c51e007af5227

Download Submit
C:\windows\ONPAICQ.exe

Filesize
208KB

MD5
6d2a20f944be48bcbab06faa3c0f4ce0

SHA1
85e7cb8abd1fc3ae4d9cdb61290f3c8fd82b1ce3

SHA256
9e0264ba72fbc9958d6f81b521577e9def534f67c85f853e2e0ac8eec948786c

SHA512
8f9abb943df53a754d4ebc5f843430e316e09785c9e7c85815a675b253faa6724100af0382a782e438d792792e768619d5e94102571be455bf2411fec0aa13d2

Download Submit
C:\windows\SysWOW64\GWARC.exe

Filesize
208KB

MD5
0b18eb74d95bef686236c1a95035ffaf

SHA1
5f38fd0ffa79e89a62ef17f1dd5c45f8929bacb4

SHA256
b2d9c7f54e49981d91a883189e310f452e4be05e626ce90368f8b2f07cb7c751

SHA512
929a5fb4717dc15ad3faca5785f7027a80ebba47cfaf3db67f881f390dd6fc2eb617352bb2af7219ef10fe3135c6c29d1181c04904fbf8e88dbec05f1be651f8

Download Submit
C:\windows\system\BRDKCM.exe

Filesize
208KB

MD5
8e056ed98cd352a2a0c16051a2d12059

SHA1
9e9bada4b54db59d57f80cb1feab40ce1010f279

SHA256
20dbf35d53ca4f542e123d10d8b9a32d23a9745909b476afca0494fb7b0f024f

SHA512
89dd3e7e870180c0da0230fd644e7af62ddf8cf9d6760d2cc469d5ee8f4892bd13359a35837e9cec4dbad2869a6fc9ef635dc8d16be6964f9ba28490cf175c5f

Download Submit
\Windows\system\MVN.exe

Filesize
208KB

MD5
af6d7bf1682f713fa80ba637b357e6a4

SHA1
287230008d17cc0fdaf90a27394ce3d7191a01ed

SHA256
d78f913ec671070ee3a8ee2a6e85d311b1765274671d6b9b42a13aa437e5eea9

SHA512
1095613add057189b0836e06cb90035b33ceeab3b3e2d2a44778892f71f4037835c52528614e4fc5f4e167cfdb768fcc4f164140846682bf6e3801e680062597

Download Submit
\Windows\system\NBYDIE.exe

Filesize
208KB

MD5
39cdedd7751e80243505635ecd9d2edc

SHA1
6482b684ec12a791dced03b14209f9cb989f5e7d

SHA256
aaf8235d26dfad14f7b097d6142ce0d9057f79b256bd85c0757661e95373a054

SHA512
d4f2d0a18e40448df48afe8483bd6c7eee2f28af739c553feaea6450ae720a3f567788b821f9d51c4e25769ad91c38972c435dabaeb10c477eb71269538ce191

Download Submit
memory/852-111-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-108-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/2240-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2240-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2480-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2480-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2696-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2696-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-90-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2792-49-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2796-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-92-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2864-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download