fa9417dffed167125c55c295823bdd37d79f3463ef20b452b4f29a6e2189403c

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7v20210410
submitted
15-05-2021 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

1.9MB
MD5

bd76ec72ff890207a686de77d3c09d02
SHA1

0595c3c2ec5ee2325b7d30723a25367f9efb88fa
SHA256

fa9417dffed167125c55c295823bdd37d79f3463ef20b452b4f29a6e2189403c
SHA512

a4883a59c37547d8d8dd3f0b397c43403bdba440ebdd8db99d47d417a8598f91f2d53526dba4ab221ffbd5267d2c60e5c35eb23e01312e340141effc513b16aa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Implorando.exe.comImplorando.exe.com

pid process

1692 Implorando.exe.com
1192 Implorando.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeImplorando.exe.com

pid process

1744 cmd.exe
1692 Implorando.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1692	Implorando.exe.com
1192	Implorando.exe.com

pid	process
1744	cmd.exe
1692	Implorando.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Implorando.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Implorando.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Implorando.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1396 PING.EXE

pid	process
1396	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1.execmd.execmd.exeImplorando.exe.com

description	pid	process	target process
PID 1272 wrote to memory of 1936	1272	1.exe	cmd.exe
PID 1272 wrote to memory of 1936	1272	1.exe	cmd.exe
PID 1272 wrote to memory of 1936	1272	1.exe	cmd.exe
PID 1272 wrote to memory of 1936	1272	1.exe	cmd.exe
PID 1936 wrote to memory of 1744	1936	cmd.exe	cmd.exe
PID 1936 wrote to memory of 1744	1936	cmd.exe	cmd.exe
PID 1936 wrote to memory of 1744	1936	cmd.exe	cmd.exe
PID 1936 wrote to memory of 1744	1936	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1776	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1776	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1776	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1776	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1692	1744	cmd.exe	Implorando.exe.com
PID 1744 wrote to memory of 1692	1744	cmd.exe	Implorando.exe.com
PID 1744 wrote to memory of 1692	1744	cmd.exe	Implorando.exe.com
PID 1744 wrote to memory of 1692	1744	cmd.exe	Implorando.exe.com
PID 1744 wrote to memory of 1396	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1396	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1396	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1396	1744	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1192	1692	Implorando.exe.com	Implorando.exe.com
PID 1692 wrote to memory of 1192	1692	Implorando.exe.com	Implorando.exe.com
PID 1692 wrote to memory of 1192	1692	Implorando.exe.com	Implorando.exe.com
PID 1692 wrote to memory of 1192	1692	Implorando.exe.com	Implorando.exe.com

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Gurge.pps
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^VXCrSREhCmhELCYmOnwTGxvthdbPGaAqdekXEfbitrZxhmGTJzdyvciAAnPCzPGpYhgJdqVnwTOCceQNJDyjecEVVLbuAUNgvPcZkXDInRtCGEtnHwSQJxiDIaOEDPYuuAyFH$" Volli.pps
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com
      Implorando.exe.com H
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com H
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1192
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gurge.pps

MD5
6c49a347c3f76cb31ba9e66f0bc00dd0

SHA1
3c7eb04a195893d56fd7f1d958ba7e2841dc512d

SHA256
ca9255890d87b2b5c6f53d8ebda60f8570b481b9168d4efd40e3fa7f09ba04d1

SHA512
e3a6ead720a5f5e3fe41d988d5c660a59ae494abc05e72ef86cfae19a83923636b08e3ac57b6f533e3636e099b34db833f9df576365d4612ee15b12ea1fe9f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\H

MD5
6296cf9b71e3782b28565cc116be00b6

SHA1
8524c4be6dbfa043a5941b8b7710387a6bb7a873

SHA256
cf3f5e2565e11a4ae7c402e7c504bed48927eb784da6e4a393646d7fe9f027c0

SHA512
3c9d23c4ed234c4176b947bfa0d42ebdbf1af4dd7fdd91ff7ca221625ad2f2f496ed42d3411a457914d54884b9a7fff964d82d2d3ecac2889f1e4a79441627dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Piramide.pps

MD5
d83ebf35f798ab04f3bdc4a58d60e4e3

SHA1
361be77280a2426ebf3576dae17639849cb1193d

SHA256
8583eedad66c753f1fdc9b7775d6cb053862c89683d8818f608d3eafeba6d333

SHA512
44f045e8fed86ff6fa0d09a7475f00f1a54ba05bc8f5f00a987be3941520ef5687487f9b2e516869345cdb830f4ac2e773ee43672ac1977392a75f8a07f2d403

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sia.pps

MD5
6296cf9b71e3782b28565cc116be00b6

SHA1
8524c4be6dbfa043a5941b8b7710387a6bb7a873

SHA256
cf3f5e2565e11a4ae7c402e7c504bed48927eb784da6e4a393646d7fe9f027c0

SHA512
3c9d23c4ed234c4176b947bfa0d42ebdbf1af4dd7fdd91ff7ca221625ad2f2f496ed42d3411a457914d54884b9a7fff964d82d2d3ecac2889f1e4a79441627dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volli.pps

MD5
1b51bf28c183674e5f0623a2bd7e2d97

SHA1
a0e693092b2d6ae435004d4dbe09540dfd80575c

SHA256
48c5e1503edc656f6491a37bb2a93fbc8b0655d515c7aae903773d68e5ee6cca

SHA512
ec039e08ee64c39ea1e6aa436546f5920f4210864a1e2ab4111e7276b75d179bcb4d0fd625d030f08b34aac435e642827a06429d3f4c89d4a151842e5faf6aa0

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1192-74-0x0000000000000000-mapping.dmp

Download
memory/1192-78-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1272-59-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1396-69-0x0000000000000000-mapping.dmp

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/1776-63-0x0000000000000000-mapping.dmp

Download
memory/1936-60-0x0000000000000000-mapping.dmp

Download