Analysis
-
max time kernel
55s -
max time network
17s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:26
Static task
static1
Behavioral task
behavioral1
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
32_64_ver_1_bit.bin.exe
Resource
win7v20201028
General
-
Target
32_64_ver_1_bit.bin.exe
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Per.comPer.compid process 4280 Per.com 584 Per.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
32_64_ver_1_bit.bin.execmd.execmd.exePer.comdescription pid process target process PID 4804 wrote to memory of 3128 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4804 wrote to memory of 3128 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4804 wrote to memory of 3128 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4804 wrote to memory of 4312 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4804 wrote to memory of 4312 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4804 wrote to memory of 4312 4804 32_64_ver_1_bit.bin.exe cmd.exe PID 4312 wrote to memory of 4420 4312 cmd.exe cmd.exe PID 4312 wrote to memory of 4420 4312 cmd.exe cmd.exe PID 4312 wrote to memory of 4420 4312 cmd.exe cmd.exe PID 4420 wrote to memory of 4300 4420 cmd.exe findstr.exe PID 4420 wrote to memory of 4300 4420 cmd.exe findstr.exe PID 4420 wrote to memory of 4300 4420 cmd.exe findstr.exe PID 4420 wrote to memory of 4280 4420 cmd.exe Per.com PID 4420 wrote to memory of 4280 4420 cmd.exe Per.com PID 4420 wrote to memory of 4280 4420 cmd.exe Per.com PID 4420 wrote to memory of 3192 4420 cmd.exe PING.EXE PID 4420 wrote to memory of 3192 4420 cmd.exe PING.EXE PID 4420 wrote to memory of 3192 4420 cmd.exe PING.EXE PID 4280 wrote to memory of 584 4280 Per.com Per.com PID 4280 wrote to memory of 584 4280 Per.com Per.com PID 4280 wrote to memory of 584 4280 Per.com Per.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe"C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo TvlxhcPW2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Scala.bin2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^UGUAzyVeUFVxwuQQxYTPPZLPHuxnJTHKMwKfMXhbVWVfsonCYVpiYXeUUtSjKbzqXlIZcAtvLcUTrvbmISmOKmLPZPcIywNbDVsiAnubQMvDepRbGzESXEdbnTqGyvdKIvdoydYpLwX$" Infine.xltm4⤵
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comPer.com Svelto.accdr4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comC:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com Svelto.accdr5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Infine.xltmMD5
e92c98933cb8a69f4270762f59f72f8d
SHA1bbd1cd46209a4c42c5de13ac32c46ec2818b4eb0
SHA256ca6f3d6fdc14ea694a2a010c8f2596cb9b99251d5e4ccd85386be58d39309bba
SHA5121893cf45da05f56ed2f627d61189e4bd9fc179512b9d6fe315c3967b083447fb46775846c1cfe8d38bff4a2326f2323f7b757a2389dd04162d7ebf1181ba1c3a
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Saluta.potmMD5
94957cd5084b8a109eb5bc6b9889dc70
SHA1bbaae28333a3871ce9aed0d0463cdd738624a9cd
SHA2569855686bf0c7ad2d5cb8828ff2a4feae9a6d4bc6c21be391e51b96ab942aa08d
SHA51213344363c786e454046923285eb889399afd26ad1e74f8a762062fc8c400f7f05a04e1bc593e08850d9226bca9ea67453065e9f12ae83acfd4cd6dc6a8126d07
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Scala.binMD5
45c3b50fd2d0a49dbc60cd84e7625234
SHA13e95f809cd6cfa8c1dfe1ed8b3a61038d579e04c
SHA256e9d23eea77b153d824699bcd00dde8ad297e97bb17b8ea4eccc23c4d5717f804
SHA51287acd56e8a981ebfe49abe0eb4e4b9ed5768cb7fea080b65428e5dca9cbe5faaffad87aa5a24c74fd30a28be7ebf30f7f098c34e1ba99aa475269d9f88baf195
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Svelto.accdrMD5
7e6ab0703aa2bc01af332f11553bd583
SHA1b5bf5e9f2467b4fd2ec4511a6f7856a3a0565182
SHA256e1ab0437119b2b4e51f7cb068ee3a15ccc81b8aa00ea39f9e24b420859fab05a
SHA5126313f5daf8559cad6734cd80d9be17d8c99608ac8e9086b51883f31b1d0d883c16c96cd120ba8c39afbe55fc7136d042b6452607114c8d6e4587020bddaa4c8f
-
memory/584-12-0x0000000000000000-mapping.dmp
-
memory/584-15-0x00000000014C0000-0x00000000014C1000-memory.dmpFilesize
4KB
-
memory/3128-2-0x0000000000000000-mapping.dmp
-
memory/3192-11-0x0000000000000000-mapping.dmp
-
memory/4280-8-0x0000000000000000-mapping.dmp
-
memory/4300-6-0x0000000000000000-mapping.dmp
-
memory/4312-3-0x0000000000000000-mapping.dmp
-
memory/4420-5-0x0000000000000000-mapping.dmp