f9d1611e9c76704829a006ca1a15c810063c0c68f2c9466cfafe583de36c4a0e

General

Target

32_64_ver_1_bit.bin.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Per.comPer.com

pid process

4280 Per.com
584 Per.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3192 PING.EXE

pid	process
4280	Per.com
584	Per.com

pid	process
3192	PING.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

32_64_ver_1_bit.bin.execmd.execmd.exePer.com

description	pid	process	target process
PID 4804 wrote to memory of 3128	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4804 wrote to memory of 3128	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4804 wrote to memory of 3128	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4804 wrote to memory of 4312	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4804 wrote to memory of 4312	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4804 wrote to memory of 4312	4804	32_64_ver_1_bit.bin.exe	cmd.exe
PID 4312 wrote to memory of 4420	4312	cmd.exe	cmd.exe
PID 4312 wrote to memory of 4420	4312	cmd.exe	cmd.exe
PID 4312 wrote to memory of 4420	4312	cmd.exe	cmd.exe
PID 4420 wrote to memory of 4300	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 4300	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 4300	4420	cmd.exe	findstr.exe
PID 4420 wrote to memory of 4280	4420	cmd.exe	Per.com
PID 4420 wrote to memory of 4280	4420	cmd.exe	Per.com
PID 4420 wrote to memory of 4280	4420	cmd.exe	Per.com
PID 4420 wrote to memory of 3192	4420	cmd.exe	PING.EXE
PID 4420 wrote to memory of 3192	4420	cmd.exe	PING.EXE
PID 4420 wrote to memory of 3192	4420	cmd.exe	PING.EXE
PID 4280 wrote to memory of 584	4280	Per.com	Per.com
PID 4280 wrote to memory of 584	4280	Per.com	Per.com
PID 4280 wrote to memory of 584	4280	Per.com	Per.com

C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe
"C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo TvlxhcPW
2⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Scala.bin
2⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UGUAzyVeUFVxwuQQxYTPPZLPHuxnJTHKMwKfMXhbVWVfsonCYVpiYXeUUtSjKbzqXlIZcAtvLcUTrvbmISmOKmLPZPcIywNbDVsiAnubQMvDepRbGzESXEdbnTqGyvdKIvdoydYpLwX$" Infine.xltm
4⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
Per.com Svelto.accdr
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com Svelto.accdr
5⤵
- Executes dropped EXE
PID:584

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Infine.xltm
MD5
e92c98933cb8a69f4270762f59f72f8d

SHA1
bbd1cd46209a4c42c5de13ac32c46ec2818b4eb0

SHA256
ca6f3d6fdc14ea694a2a010c8f2596cb9b99251d5e4ccd85386be58d39309bba

SHA512
1893cf45da05f56ed2f627d61189e4bd9fc179512b9d6fe315c3967b083447fb46775846c1cfe8d38bff4a2326f2323f7b757a2389dd04162d7ebf1181ba1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Saluta.potm
MD5
94957cd5084b8a109eb5bc6b9889dc70

SHA1
bbaae28333a3871ce9aed0d0463cdd738624a9cd

SHA256
9855686bf0c7ad2d5cb8828ff2a4feae9a6d4bc6c21be391e51b96ab942aa08d

SHA512
13344363c786e454046923285eb889399afd26ad1e74f8a762062fc8c400f7f05a04e1bc593e08850d9226bca9ea67453065e9f12ae83acfd4cd6dc6a8126d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Scala.bin
MD5
45c3b50fd2d0a49dbc60cd84e7625234

SHA1
3e95f809cd6cfa8c1dfe1ed8b3a61038d579e04c

SHA256
e9d23eea77b153d824699bcd00dde8ad297e97bb17b8ea4eccc23c4d5717f804

SHA512
87acd56e8a981ebfe49abe0eb4e4b9ed5768cb7fea080b65428e5dca9cbe5faaffad87aa5a24c74fd30a28be7ebf30f7f098c34e1ba99aa475269d9f88baf195

Download Submit
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Svelto.accdr
MD5
7e6ab0703aa2bc01af332f11553bd583

SHA1
b5bf5e9f2467b4fd2ec4511a6f7856a3a0565182

SHA256
e1ab0437119b2b4e51f7cb068ee3a15ccc81b8aa00ea39f9e24b420859fab05a

SHA512
6313f5daf8559cad6734cd80d9be17d8c99608ac8e9086b51883f31b1d0d883c16c96cd120ba8c39afbe55fc7136d042b6452607114c8d6e4587020bddaa4c8f

Download Submit
memory/584-12-0x0000000000000000-mapping.dmp

Download
memory/584-15-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/3128-2-0x0000000000000000-mapping.dmp

Download
memory/3192-11-0x0000000000000000-mapping.dmp

Download
memory/4280-8-0x0000000000000000-mapping.dmp

Download
memory/4300-6-0x0000000000000000-mapping.dmp

Download
memory/4312-3-0x0000000000000000-mapping.dmp

Download
memory/4420-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing