Analysis
-
max time kernel
1686s -
max time network
1690s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 22:26
Static task
static1
Behavioral task
behavioral1
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
32_64_ver_1_bit.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
32_64_ver_1_bit.bin.exe
Resource
win7v20201028
General
-
Target
32_64_ver_1_bit.bin.exe
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Per.comPer.compid process 836 Per.com 1364 Per.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exePer.compid process 1980 cmd.exe 836 Per.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Per.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Per.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Per.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
32_64_ver_1_bit.bin.execmd.execmd.exePer.comdescription pid process target process PID 532 wrote to memory of 1988 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1988 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1988 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1988 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1172 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1172 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1172 532 32_64_ver_1_bit.bin.exe cmd.exe PID 532 wrote to memory of 1172 532 32_64_ver_1_bit.bin.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 1980 1172 cmd.exe cmd.exe PID 1980 wrote to memory of 1796 1980 cmd.exe findstr.exe PID 1980 wrote to memory of 1796 1980 cmd.exe findstr.exe PID 1980 wrote to memory of 1796 1980 cmd.exe findstr.exe PID 1980 wrote to memory of 1796 1980 cmd.exe findstr.exe PID 1980 wrote to memory of 836 1980 cmd.exe Per.com PID 1980 wrote to memory of 836 1980 cmd.exe Per.com PID 1980 wrote to memory of 836 1980 cmd.exe Per.com PID 1980 wrote to memory of 836 1980 cmd.exe Per.com PID 1980 wrote to memory of 1512 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1512 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1512 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 1512 1980 cmd.exe PING.EXE PID 836 wrote to memory of 1364 836 Per.com Per.com PID 836 wrote to memory of 1364 836 Per.com Per.com PID 836 wrote to memory of 1364 836 Per.com Per.com PID 836 wrote to memory of 1364 836 Per.com Per.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe"C:\Users\Admin\AppData\Local\Temp\32_64_ver_1_bit.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo TvlxhcPW2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Scala.bin2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^UGUAzyVeUFVxwuQQxYTPPZLPHuxnJTHKMwKfMXhbVWVfsonCYVpiYXeUUtSjKbzqXlIZcAtvLcUTrvbmISmOKmLPZPcIywNbDVsiAnubQMvDepRbGzESXEdbnTqGyvdKIvdoydYpLwX$" Infine.xltm4⤵
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comPer.com Svelto.accdr4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comC:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.com Svelto.accdr5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Infine.xltmMD5
e92c98933cb8a69f4270762f59f72f8d
SHA1bbd1cd46209a4c42c5de13ac32c46ec2818b4eb0
SHA256ca6f3d6fdc14ea694a2a010c8f2596cb9b99251d5e4ccd85386be58d39309bba
SHA5121893cf45da05f56ed2f627d61189e4bd9fc179512b9d6fe315c3967b083447fb46775846c1cfe8d38bff4a2326f2323f7b757a2389dd04162d7ebf1181ba1c3a
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Saluta.potmMD5
94957cd5084b8a109eb5bc6b9889dc70
SHA1bbaae28333a3871ce9aed0d0463cdd738624a9cd
SHA2569855686bf0c7ad2d5cb8828ff2a4feae9a6d4bc6c21be391e51b96ab942aa08d
SHA51213344363c786e454046923285eb889399afd26ad1e74f8a762062fc8c400f7f05a04e1bc593e08850d9226bca9ea67453065e9f12ae83acfd4cd6dc6a8126d07
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Scala.binMD5
45c3b50fd2d0a49dbc60cd84e7625234
SHA13e95f809cd6cfa8c1dfe1ed8b3a61038d579e04c
SHA256e9d23eea77b153d824699bcd00dde8ad297e97bb17b8ea4eccc23c4d5717f804
SHA51287acd56e8a981ebfe49abe0eb4e4b9ed5768cb7fea080b65428e5dca9cbe5faaffad87aa5a24c74fd30a28be7ebf30f7f098c34e1ba99aa475269d9f88baf195
-
C:\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Svelto.accdrMD5
7e6ab0703aa2bc01af332f11553bd583
SHA1b5bf5e9f2467b4fd2ec4511a6f7856a3a0565182
SHA256e1ab0437119b2b4e51f7cb068ee3a15ccc81b8aa00ea39f9e24b420859fab05a
SHA5126313f5daf8559cad6734cd80d9be17d8c99608ac8e9086b51883f31b1d0d883c16c96cd120ba8c39afbe55fc7136d042b6452607114c8d6e4587020bddaa4c8f
-
\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Local\Temp\txqlmFzQCVUvfENdcRr\Per.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/532-2-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/836-10-0x0000000000000000-mapping.dmp
-
memory/1172-4-0x0000000000000000-mapping.dmp
-
memory/1364-17-0x0000000000000000-mapping.dmp
-
memory/1364-21-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1512-12-0x0000000000000000-mapping.dmp
-
memory/1796-7-0x0000000000000000-mapping.dmp
-
memory/1980-6-0x0000000000000000-mapping.dmp
-
memory/1988-3-0x0000000000000000-mapping.dmp