Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-04-2021 21:00
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win10v20210410
General
-
Target
setup_x86_x64_install.exe
-
Size
1.8MB
-
MD5
2c121f456cbbde3437f0944ed2436991
-
SHA1
6ad7e5cd87e0456e0076a41c21feb1147c7dd6eb
-
SHA256
04e341fb5750ca5588ad1340c2a2348a1a128a4a368ab13ad9628f2f49a20298
-
SHA512
10163af59e96e81fa89c9b9b0b63a4eb157a2f921b18d1d9dbcd989f2dea71e8f72fb88710f2e419059a0c1e2c536b326f1f74f61727ed86e8f980c087eaeeb2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Veduto.exe.comVeduto.exe.compid process 3120 Veduto.exe.com 3772 Veduto.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
setup_x86_x64_install.execmd.execmd.exeVeduto.exe.comdescription pid process target process PID 744 wrote to memory of 2436 744 setup_x86_x64_install.exe makecab.exe PID 744 wrote to memory of 2436 744 setup_x86_x64_install.exe makecab.exe PID 744 wrote to memory of 2436 744 setup_x86_x64_install.exe makecab.exe PID 744 wrote to memory of 3024 744 setup_x86_x64_install.exe cmd.exe PID 744 wrote to memory of 3024 744 setup_x86_x64_install.exe cmd.exe PID 744 wrote to memory of 3024 744 setup_x86_x64_install.exe cmd.exe PID 3024 wrote to memory of 3004 3024 cmd.exe cmd.exe PID 3024 wrote to memory of 3004 3024 cmd.exe cmd.exe PID 3024 wrote to memory of 3004 3024 cmd.exe cmd.exe PID 3004 wrote to memory of 2712 3004 cmd.exe findstr.exe PID 3004 wrote to memory of 2712 3004 cmd.exe findstr.exe PID 3004 wrote to memory of 2712 3004 cmd.exe findstr.exe PID 3004 wrote to memory of 3120 3004 cmd.exe Veduto.exe.com PID 3004 wrote to memory of 3120 3004 cmd.exe Veduto.exe.com PID 3004 wrote to memory of 3120 3004 cmd.exe Veduto.exe.com PID 3120 wrote to memory of 3772 3120 Veduto.exe.com Veduto.exe.com PID 3120 wrote to memory of 3772 3120 Veduto.exe.com Veduto.exe.com PID 3120 wrote to memory of 3772 3120 Veduto.exe.com Veduto.exe.com PID 3004 wrote to memory of 2316 3004 cmd.exe PING.EXE PID 3004 wrote to memory of 2316 3004 cmd.exe PING.EXE PID 3004 wrote to memory of 2316 3004 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c VgeEcskWyysFZEbiuWvsIHufJAPMnSFBgvnDpUlFK & VWhZngjxsEsmygiNVUBnnhmPdCuUYkLQHSLlwJeBmt & qlPdpccZdrkaHvbIVoacuTARhCXLkR & ZxNnFBkWnC & cMvArODwiziIziJXrHn & OnrjXUYSiJkTTTnOcNnpolKHRMzdVDofZSbWJ & cmd < Com.ini2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^awduMJhRCravVikDeASpDMPzXgGdCQWgSNHYZTWRlvNYxDnQBhlwQPAGkXobrXfLutDoAhDoEwZuYRYxPPOg$" Uso.ini4⤵
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.comVeduto.exe.com O4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.comC:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com O5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Chi.iniMD5
13bfbff35f4ccbb4bc1fb43e3c5f44b9
SHA1d62b762ca0d4f94e75e91bda9428197104a3d9eb
SHA2564de655fe47fb41e9555e0cd112493d2b36ff16fb9c5dd1626557f056e6fdfacb
SHA512cab97599659df81968478f06b3b851946c22120ef148e094572137dce3cac15cdfaca4d93180bf588ebd4770706fa02a972d2a95fb31c257a62abe985ffb5847
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Com.iniMD5
18ca267a917fceda3717c27853bc48de
SHA16c59b7af0da25261ac24c12f2a0a2249b0e26127
SHA256e83ba35b8914e4d3d3fa777661f69f1c6b29e6da7a8b41a4044aed96ccebf50c
SHA512e686eafce5e3cd7849ea5285bb6ceaa5b660950252cf8b2ad6a9377371f28e1e85141cd204f54139c795f05730efcdea0ed8d8e96253917a204f8fc4b7a64939
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Mise.iniMD5
0ca081e6a691e3540cb55d10bc327598
SHA18ff1a511ae573978780194c13c69f5fb82b78b64
SHA256dc7acb5ced5a72331f0952e8453521f65c844dc4ccee2a8bff2635576ea927bc
SHA5129d43a9b57fe956b10660edaa2e32978abf600823bf4a2178a14a50a789b7a0a2337499bd1dbf9db09840266a1a18be8a1cbd8bed44487287b6006494f4f8acd7
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\OMD5
0ca081e6a691e3540cb55d10bc327598
SHA18ff1a511ae573978780194c13c69f5fb82b78b64
SHA256dc7acb5ced5a72331f0952e8453521f65c844dc4ccee2a8bff2635576ea927bc
SHA5129d43a9b57fe956b10660edaa2e32978abf600823bf4a2178a14a50a789b7a0a2337499bd1dbf9db09840266a1a18be8a1cbd8bed44487287b6006494f4f8acd7
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Uso.iniMD5
e1d07a4721de5314d4c5b15354180efd
SHA19998661ef169208654dd79fa8597318077fa473b
SHA256aeff5b89aafdef5d0764b0d7497e618e670188d33e9fca5b61c63f1d01814093
SHA512b9d98af17b2cc54753e7f185cd2a3bb0de7bc98bfcfa047d53e79cbb85dd963aace115baee80273922b4fe46db143f6df4a3a3fff6731ede7e3422bb2c8cca9c
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/2316-127-0x0000000000000000-mapping.dmp
-
memory/2436-114-0x0000000000000000-mapping.dmp
-
memory/2712-118-0x0000000000000000-mapping.dmp
-
memory/3004-117-0x0000000000000000-mapping.dmp
-
memory/3024-115-0x0000000000000000-mapping.dmp
-
memory/3120-121-0x0000000000000000-mapping.dmp
-
memory/3772-124-0x0000000000000000-mapping.dmp
-
memory/3772-128-0x0000000001720000-0x0000000001721000-memory.dmpFilesize
4KB