Analysis
-
max time kernel
94s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14/05/2021, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
66D7C25E25D943FF9972AD4E2821A586.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
66D7C25E25D943FF9972AD4E2821A586.exe
-
Size
1.9MB
-
MD5
66d7c25e25d943ff9972ad4e2821a586
-
SHA1
1c2f71afa6f6e13dd5939f4cad875aad33902627
-
SHA256
41f2e8b68fe406f818f0ab48067d967cc0a3430a9ddb97a191b3fca163b756ab
-
SHA512
18d40773115c4bf9a80c1b91c04b0a58eeb69f8c9b25da68dcfcb92e3d532ba09d2aa6a278d6e0891e19e3e572ba1c77efe422189bd9b752ce770609904ac76f
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 428 Ove.exe.com 1060 Ove.exe.com -
Loads dropped DLL 2 IoCs
pid Process 848 cmd.exe 428 Ove.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ove.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ove.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1460 PING.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1948 1100 66D7C25E25D943FF9972AD4E2821A586.exe 26 PID 1100 wrote to memory of 1948 1100 66D7C25E25D943FF9972AD4E2821A586.exe 26 PID 1100 wrote to memory of 1948 1100 66D7C25E25D943FF9972AD4E2821A586.exe 26 PID 1100 wrote to memory of 1948 1100 66D7C25E25D943FF9972AD4E2821A586.exe 26 PID 1100 wrote to memory of 1924 1100 66D7C25E25D943FF9972AD4E2821A586.exe 28 PID 1100 wrote to memory of 1924 1100 66D7C25E25D943FF9972AD4E2821A586.exe 28 PID 1100 wrote to memory of 1924 1100 66D7C25E25D943FF9972AD4E2821A586.exe 28 PID 1100 wrote to memory of 1924 1100 66D7C25E25D943FF9972AD4E2821A586.exe 28 PID 1100 wrote to memory of 1736 1100 66D7C25E25D943FF9972AD4E2821A586.exe 30 PID 1100 wrote to memory of 1736 1100 66D7C25E25D943FF9972AD4E2821A586.exe 30 PID 1100 wrote to memory of 1736 1100 66D7C25E25D943FF9972AD4E2821A586.exe 30 PID 1100 wrote to memory of 1736 1100 66D7C25E25D943FF9972AD4E2821A586.exe 30 PID 1100 wrote to memory of 1704 1100 66D7C25E25D943FF9972AD4E2821A586.exe 32 PID 1100 wrote to memory of 1704 1100 66D7C25E25D943FF9972AD4E2821A586.exe 32 PID 1100 wrote to memory of 1704 1100 66D7C25E25D943FF9972AD4E2821A586.exe 32 PID 1100 wrote to memory of 1704 1100 66D7C25E25D943FF9972AD4E2821A586.exe 32 PID 1100 wrote to memory of 1528 1100 66D7C25E25D943FF9972AD4E2821A586.exe 34 PID 1100 wrote to memory of 1528 1100 66D7C25E25D943FF9972AD4E2821A586.exe 34 PID 1100 wrote to memory of 1528 1100 66D7C25E25D943FF9972AD4E2821A586.exe 34 PID 1100 wrote to memory of 1528 1100 66D7C25E25D943FF9972AD4E2821A586.exe 34 PID 1100 wrote to memory of 832 1100 66D7C25E25D943FF9972AD4E2821A586.exe 36 PID 1100 wrote to memory of 832 1100 66D7C25E25D943FF9972AD4E2821A586.exe 36 PID 1100 wrote to memory of 832 1100 66D7C25E25D943FF9972AD4E2821A586.exe 36 PID 1100 wrote to memory of 832 1100 66D7C25E25D943FF9972AD4E2821A586.exe 36 PID 1100 wrote to memory of 1636 1100 66D7C25E25D943FF9972AD4E2821A586.exe 38 PID 1100 wrote to memory of 1636 1100 66D7C25E25D943FF9972AD4E2821A586.exe 38 PID 1100 wrote to memory of 1636 1100 66D7C25E25D943FF9972AD4E2821A586.exe 38 PID 1100 wrote to memory of 1636 1100 66D7C25E25D943FF9972AD4E2821A586.exe 38 PID 1636 wrote to memory of 848 1636 cmd.exe 40 PID 1636 wrote to memory of 848 1636 cmd.exe 40 PID 1636 wrote to memory of 848 1636 cmd.exe 40 PID 1636 wrote to memory of 848 1636 cmd.exe 40 PID 848 wrote to memory of 644 848 cmd.exe 41 PID 848 wrote to memory of 644 848 cmd.exe 41 PID 848 wrote to memory of 644 848 cmd.exe 41 PID 848 wrote to memory of 644 848 cmd.exe 41 PID 848 wrote to memory of 428 848 cmd.exe 43 PID 848 wrote to memory of 428 848 cmd.exe 43 PID 848 wrote to memory of 428 848 cmd.exe 43 PID 848 wrote to memory of 428 848 cmd.exe 43 PID 848 wrote to memory of 1460 848 cmd.exe 42 PID 848 wrote to memory of 1460 848 cmd.exe 42 PID 848 wrote to memory of 1460 848 cmd.exe 42 PID 848 wrote to memory of 1460 848 cmd.exe 42 PID 428 wrote to memory of 1060 428 Ove.exe.com 44 PID 428 wrote to memory of 1060 428 Ove.exe.com 44 PID 428 wrote to memory of 1060 428 Ove.exe.com 44 PID 428 wrote to memory of 1060 428 Ove.exe.com 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe"C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c IDrlwJfYJMXmiwvMLejGiwpEbzAYBNQCCBNmtKWnUyoSIhlcKugZfCLGzmNHpdbWWxXGgWHqyOLwSsWpoyhxmQjZPuuFXggDIjVhdDuOnhTBQJNeCEmtrebuoXQoQeeRmiz2⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cJSEYmWkWKpyarezPlAGPOtzNYXvleeIdiGTLUuDuklbOKPNZJefHMQGEmRZBmqUIAPkvpHUtXADEHEeplvBZMwDdZgjeuwGk2⤵PID:1924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PhVEdQeikKjheXUPQsrmUVmkUvUcSXVTagSsuFUGnRBssrXsshdK2⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c LcTNKJTWHfhOaVNyDIlvbqezoURnCrEGldGTYDvVqJRCgCYoljOEygyLamFQRczDKHEegTuZkfvNoAyFVJgfgZBW2⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c UAnYGtFfgRHYVTsuOzQRaCSxZUiirgLuHRzaHwF2⤵PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c QbUJnHqQWpAGKtSaItYMWnjZuBdtmYnNNFqVIpV2⤵PID:832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rhCXAMlbIpgvnaQrwtQfFzGEIidtAfAdlUEGulyjCLneKrEtxoszjcVJHXfavyXzJYkEOlWQYEMUVDUECkJa & irPYUYpUNPbOyzMRqdlkAcHIwOrrLQkcEcBUvFUkNWlPfyPpoMBVmuvMcuXuUuoWDwpKSRxxvYnElSzVYUUYgdVnYPndINdHNgkhVyddaimBISBDNwiqklIjuLLrztMIHRQWHyqTDEGiRxP & hVCGGdvDGYipzhXhxQTRwFVHwhvG & AcMWEPbBywscjdIYQAfGzMqAYyHZVFzTPqyDxhObmLfOCcOfhJkNiZlOxjXmonGAIbFjlyDCLRiHbjXCdsMjzGMPQ & oodffqtPytQBtiyIwfSCsogxoQMxueLQvUWcjcCuCIuSMOjEuLEvWhZ & TVungKIrzZyl & KvFMLZJwvIzEihcngToUVBsfrRSZrmNJwzvfYKk & dYbjNUivhEtyWdfotdJTiJYXVKCNQyAEIUEWttCpKcLnxHNL & glHqsuGqmseazGitmbwLat & OApLYmCgWQJCVSDsNYWENmQsPExUlLqMllSAicIAXruCKrjkWyhMcmjfJSWzyHrlPWaKZepadcHKahGMsoYtnhdKYCRfngcfZVMNKCkTVVvqSBXckleWJZMBGILbkTTeqsKbBSwPWypCRdSvFctgk & FqokieQOHwwzqARmUaphqDPpJfQfRQPFQBLKgfLYYobiBbdsFyALyYnelZBRjBXRjvDnOukEHlgS & IIjZnJLftmRrJAgOTMblGVtUR & mUWtVKGWBdfSORjCoWLctGWQObRHmNDaiUlRzqEivNYYnqYFYtNiovnSXyfbSYvONXKTHcpoaEYdHYsNmjJxqcpLv & ThKugndplBdyXDVFPDnolYNCYGfeOsNYbfBVbjfAZnNQvxgumcGGjhuVA & oIogcTOsHIwqiDgYoMlWyEapCaKiLppG & frGsLeUetMGtmhrsgyzKDeDdYMeoHFnncFSmHGbKdUqSMyryHPbrPWQjAdaYZLxnh & JTcDKIIJzJeLDTIXBRocJmOFZdhnL & mBEEcpJryOxuCilOMndwlDfSbltQEzxlXPpAiYbngbMzqCWHckDOoJxWkMikyTmLxloNYKGNqRNNQWRUhbxzPFwgcjgx & jzxYwZPxpILEPOdVGufUjYInyVPpTaMcjWObaOPWeArOJPqRKaOyYmFhLWSypGARWfsTZTDSdaSLVTOdVXnBDGbMdBMcWKMcZkSxbuSRPWPFHTsRiCpjoZgfRFDbuiW & FvMKwxSPyGLHRRybpUgzAAhqXCCRDxLHqoZliHQNJxuChGnqAuhkTCuypLMmRqkLVrHISUfBtAJyxLMsrCsbumObeUqcVdVIo & GpYQiFQMiaSqKnYccfJOEcfpGXUTGNFwWZtDahxMGxsvEwlCbmUGZxQkUOplLWyzMR & KxcroUXiprSFFNaviSZwC & C:\Windows\system32\cmd < Naufrago.vssm2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^MPJomTHJarWYKrSxnHIhGEIlXeqEtUnnpLOyyJXoCUxrBcBNOGmEhseoimkvSrFbFbPYfMgPJmLMpEIBBjPbcUkSJFYFbBdngXbrGCnesKUNGdZCQKVFhieLkWfJNIs$" Vedi.vssm4⤵PID:644
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.comOve.exe.com U4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com U5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1060
-
-
-
-