Analysis

  • max time kernel
    76s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    14/05/2021, 20:21

General

  • Target

    66D7C25E25D943FF9972AD4E2821A586.exe

  • Size

    1.9MB

  • MD5

    66d7c25e25d943ff9972ad4e2821a586

  • SHA1

    1c2f71afa6f6e13dd5939f4cad875aad33902627

  • SHA256

    41f2e8b68fe406f818f0ab48067d967cc0a3430a9ddb97a191b3fca163b756ab

  • SHA512

    18d40773115c4bf9a80c1b91c04b0a58eeb69f8c9b25da68dcfcb92e3d532ba09d2aa6a278d6e0891e19e3e572ba1c77efe422189bd9b752ce770609904ac76f

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe
    "C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c IDrlwJfYJMXmiwvMLejGiwpEbzAYBNQCCBNmtKWnUyoSIhlcKugZfCLGzmNHpdbWWxXGgWHqyOLwSsWpoyhxmQjZPuuFXggDIjVhdDuOnhTBQJNeCEmtrebuoXQoQeeRmiz
      2⤵
        PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cJSEYmWkWKpyarezPlAGPOtzNYXvleeIdiGTLUuDuklbOKPNZJefHMQGEmRZBmqUIAPkvpHUtXADEHEeplvBZMwDdZgjeuwGk
        2⤵
          PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PhVEdQeikKjheXUPQsrmUVmkUvUcSXVTagSsuFUGnRBssrXsshdK
          2⤵
            PID:1764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c LcTNKJTWHfhOaVNyDIlvbqezoURnCrEGldGTYDvVqJRCgCYoljOEygyLamFQRczDKHEegTuZkfvNoAyFVJgfgZBW
            2⤵
              PID:1740
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c UAnYGtFfgRHYVTsuOzQRaCSxZUiirgLuHRzaHwF
              2⤵
                PID:1148
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c QbUJnHqQWpAGKtSaItYMWnjZuBdtmYnNNFqVIpV
                2⤵
                  PID:812
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c rhCXAMlbIpgvnaQrwtQfFzGEIidtAfAdlUEGulyjCLneKrEtxoszjcVJHXfavyXzJYkEOlWQYEMUVDUECkJa & irPYUYpUNPbOyzMRqdlkAcHIwOrrLQkcEcBUvFUkNWlPfyPpoMBVmuvMcuXuUuoWDwpKSRxxvYnElSzVYUUYgdVnYPndINdHNgkhVyddaimBISBDNwiqklIjuLLrztMIHRQWHyqTDEGiRxP & hVCGGdvDGYipzhXhxQTRwFVHwhvG & AcMWEPbBywscjdIYQAfGzMqAYyHZVFzTPqyDxhObmLfOCcOfhJkNiZlOxjXmonGAIbFjlyDCLRiHbjXCdsMjzGMPQ & oodffqtPytQBtiyIwfSCsogxoQMxueLQvUWcjcCuCIuSMOjEuLEvWhZ & TVungKIrzZyl & KvFMLZJwvIzEihcngToUVBsfrRSZrmNJwzvfYKk & dYbjNUivhEtyWdfotdJTiJYXVKCNQyAEIUEWttCpKcLnxHNL & glHqsuGqmseazGitmbwLat & OApLYmCgWQJCVSDsNYWENmQsPExUlLqMllSAicIAXruCKrjkWyhMcmjfJSWzyHrlPWaKZepadcHKahGMsoYtnhdKYCRfngcfZVMNKCkTVVvqSBXckleWJZMBGILbkTTeqsKbBSwPWypCRdSvFctgk & FqokieQOHwwzqARmUaphqDPpJfQfRQPFQBLKgfLYYobiBbdsFyALyYnelZBRjBXRjvDnOukEHlgS & IIjZnJLftmRrJAgOTMblGVtUR & mUWtVKGWBdfSORjCoWLctGWQObRHmNDaiUlRzqEivNYYnqYFYtNiovnSXyfbSYvONXKTHcpoaEYdHYsNmjJxqcpLv & ThKugndplBdyXDVFPDnolYNCYGfeOsNYbfBVbjfAZnNQvxgumcGGjhuVA & oIogcTOsHIwqiDgYoMlWyEapCaKiLppG & frGsLeUetMGtmhrsgyzKDeDdYMeoHFnncFSmHGbKdUqSMyryHPbrPWQjAdaYZLxnh & JTcDKIIJzJeLDTIXBRocJmOFZdhnL & mBEEcpJryOxuCilOMndwlDfSbltQEzxlXPpAiYbngbMzqCWHckDOoJxWkMikyTmLxloNYKGNqRNNQWRUhbxzPFwgcjgx & jzxYwZPxpILEPOdVGufUjYInyVPpTaMcjWObaOPWeArOJPqRKaOyYmFhLWSypGARWfsTZTDSdaSLVTOdVXnBDGbMdBMcWKMcZkSxbuSRPWPFHTsRiCpjoZgfRFDbuiW & FvMKwxSPyGLHRRybpUgzAAhqXCCRDxLHqoZliHQNJxuChGnqAuhkTCuypLMmRqkLVrHISUfBtAJyxLMsrCsbumObeUqcVdVIo & GpYQiFQMiaSqKnYccfJOEcfpGXUTGNFwWZtDahxMGxsvEwlCbmUGZxQkUOplLWyzMR & KxcroUXiprSFFNaviSZwC & C:\Windows\system32\cmd < Naufrago.vssm
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1420
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd
                    3⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:308
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V /R "^MPJomTHJarWYKrSxnHIhGEIlXeqEtUnnpLOyyJXoCUxrBcBNOGmEhseoimkvSrFbFbPYfMgPJmLMpEIBBjPbcUkSJFYFbBdngXbrGCnesKUNGdZCQKVFhieLkWfJNIs$" Vedi.vssm
                      4⤵
                        PID:676
                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
                        Ove.exe.com U
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:852
                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com U
                          5⤵
                          • Executes dropped EXE
                          • Checks processor information in registry
                          PID:540
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 30
                        4⤵
                        • Runs ping.exe
                        PID:1540

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/480-60-0x00000000753E1000-0x00000000753E3000-memory.dmp

                        Filesize

                        8KB

                      • memory/540-85-0x0000000000110000-0x0000000000111000-memory.dmp

                        Filesize

                        4KB