f0bb317cdd6963c218b63c88388d6a487707ad0be26321ece91c5bddc6ff9c62

General

Target

setup_x86_x64_install.exe
Size

1.8MB
MD5

2c121f456cbbde3437f0944ed2436991
SHA1

6ad7e5cd87e0456e0076a41c21feb1147c7dd6eb
SHA256

04e341fb5750ca5588ad1340c2a2348a1a128a4a368ab13ad9628f2f49a20298
SHA512

10163af59e96e81fa89c9b9b0b63a4eb157a2f921b18d1d9dbcd989f2dea71e8f72fb88710f2e419059a0c1e2c536b326f1f74f61727ed86e8f980c087eaeeb2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Veduto.exe.comVeduto.exe.com

pid process

3120 Veduto.exe.com
3772 Veduto.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2316 PING.EXE

pid	process
3120	Veduto.exe.com
3772	Veduto.exe.com

pid	process
2316	PING.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

setup_x86_x64_install.execmd.execmd.exeVeduto.exe.com

description	pid	process	target process
PID 744 wrote to memory of 2436	744	setup_x86_x64_install.exe	makecab.exe
PID 744 wrote to memory of 2436	744	setup_x86_x64_install.exe	makecab.exe
PID 744 wrote to memory of 2436	744	setup_x86_x64_install.exe	makecab.exe
PID 744 wrote to memory of 3024	744	setup_x86_x64_install.exe	cmd.exe
PID 744 wrote to memory of 3024	744	setup_x86_x64_install.exe	cmd.exe
PID 744 wrote to memory of 3024	744	setup_x86_x64_install.exe	cmd.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 3004	3024	cmd.exe	cmd.exe
PID 3004 wrote to memory of 2712	3004	cmd.exe	findstr.exe
PID 3004 wrote to memory of 2712	3004	cmd.exe	findstr.exe
PID 3004 wrote to memory of 2712	3004	cmd.exe	findstr.exe
PID 3004 wrote to memory of 3120	3004	cmd.exe	Veduto.exe.com
PID 3004 wrote to memory of 3120	3004	cmd.exe	Veduto.exe.com
PID 3004 wrote to memory of 3120	3004	cmd.exe	Veduto.exe.com
PID 3120 wrote to memory of 3772	3120	Veduto.exe.com	Veduto.exe.com
PID 3120 wrote to memory of 3772	3120	Veduto.exe.com	Veduto.exe.com
PID 3120 wrote to memory of 3772	3120	Veduto.exe.com	Veduto.exe.com
PID 3004 wrote to memory of 2316	3004	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2316	3004	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2316	3004	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c VgeEcskWyysFZEbiuWvsIHufJAPMnSFBgvnDpUlFK & VWhZngjxsEsmygiNVUBnnhmPdCuUYkLQHSLlwJeBmt & qlPdpccZdrkaHvbIVoacuTARhCXLkR & ZxNnFBkWnC & cMvArODwiziIziJXrHn & OnrjXUYSiJkTTTnOcNnpolKHRMzdVDofZSbWJ & cmd < Com.ini
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^awduMJhRCravVikDeASpDMPzXgGdCQWgSNHYZTWRlvNYxDnQBhlwQPAGkXobrXfLutDoAhDoEwZuYRYxPPOg$" Uso.ini
4⤵
PID:2712

C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com
Veduto.exe.com O
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com O
5⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Chi.ini
MD5
13bfbff35f4ccbb4bc1fb43e3c5f44b9

SHA1
d62b762ca0d4f94e75e91bda9428197104a3d9eb

SHA256
4de655fe47fb41e9555e0cd112493d2b36ff16fb9c5dd1626557f056e6fdfacb

SHA512
cab97599659df81968478f06b3b851946c22120ef148e094572137dce3cac15cdfaca4d93180bf588ebd4770706fa02a972d2a95fb31c257a62abe985ffb5847

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Com.ini
MD5
18ca267a917fceda3717c27853bc48de

SHA1
6c59b7af0da25261ac24c12f2a0a2249b0e26127

SHA256
e83ba35b8914e4d3d3fa777661f69f1c6b29e6da7a8b41a4044aed96ccebf50c

SHA512
e686eafce5e3cd7849ea5285bb6ceaa5b660950252cf8b2ad6a9377371f28e1e85141cd204f54139c795f05730efcdea0ed8d8e96253917a204f8fc4b7a64939

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Mise.ini
MD5
0ca081e6a691e3540cb55d10bc327598

SHA1
8ff1a511ae573978780194c13c69f5fb82b78b64

SHA256
dc7acb5ced5a72331f0952e8453521f65c844dc4ccee2a8bff2635576ea927bc

SHA512
9d43a9b57fe956b10660edaa2e32978abf600823bf4a2178a14a50a789b7a0a2337499bd1dbf9db09840266a1a18be8a1cbd8bed44487287b6006494f4f8acd7

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\O
MD5
0ca081e6a691e3540cb55d10bc327598

SHA1
8ff1a511ae573978780194c13c69f5fb82b78b64

SHA256
dc7acb5ced5a72331f0952e8453521f65c844dc4ccee2a8bff2635576ea927bc

SHA512
9d43a9b57fe956b10660edaa2e32978abf600823bf4a2178a14a50a789b7a0a2337499bd1dbf9db09840266a1a18be8a1cbd8bed44487287b6006494f4f8acd7

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Uso.ini
MD5
e1d07a4721de5314d4c5b15354180efd

SHA1
9998661ef169208654dd79fa8597318077fa473b

SHA256
aeff5b89aafdef5d0764b0d7497e618e670188d33e9fca5b61c63f1d01814093

SHA512
b9d98af17b2cc54753e7f185cd2a3bb0de7bc98bfcfa047d53e79cbb85dd963aace115baee80273922b4fe46db143f6df4a3a3fff6731ede7e3422bb2c8cca9c

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\CpPLTbihOAJVCdofBEOcxkBHWDBWTqvByllfzvdhmDXTHqwRiKdTihPdHoPdVkx\Veduto.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2316-127-0x0000000000000000-mapping.dmp

Download
memory/2436-114-0x0000000000000000-mapping.dmp

Download
memory/2712-118-0x0000000000000000-mapping.dmp

Download
memory/3004-117-0x0000000000000000-mapping.dmp

Download
memory/3024-115-0x0000000000000000-mapping.dmp

Download
memory/3120-121-0x0000000000000000-mapping.dmp

Download
memory/3772-124-0x0000000000000000-mapping.dmp

Download
memory/3772-128-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing