Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15/05/2021, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
1.exe
-
Size
1.9MB
-
MD5
bd76ec72ff890207a686de77d3c09d02
-
SHA1
0595c3c2ec5ee2325b7d30723a25367f9efb88fa
-
SHA256
fa9417dffed167125c55c295823bdd37d79f3463ef20b452b4f29a6e2189403c
-
SHA512
a4883a59c37547d8d8dd3f0b397c43403bdba440ebdd8db99d47d417a8598f91f2d53526dba4ab221ffbd5267d2c60e5c35eb23e01312e340141effc513b16aa
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1692 Implorando.exe.com 1192 Implorando.exe.com -
Loads dropped DLL 2 IoCs
pid Process 1744 cmd.exe 1692 Implorando.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Implorando.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Implorando.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1396 PING.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1272 wrote to memory of 1936 1272 1.exe 26 PID 1272 wrote to memory of 1936 1272 1.exe 26 PID 1272 wrote to memory of 1936 1272 1.exe 26 PID 1272 wrote to memory of 1936 1272 1.exe 26 PID 1936 wrote to memory of 1744 1936 cmd.exe 28 PID 1936 wrote to memory of 1744 1936 cmd.exe 28 PID 1936 wrote to memory of 1744 1936 cmd.exe 28 PID 1936 wrote to memory of 1744 1936 cmd.exe 28 PID 1744 wrote to memory of 1776 1744 cmd.exe 29 PID 1744 wrote to memory of 1776 1744 cmd.exe 29 PID 1744 wrote to memory of 1776 1744 cmd.exe 29 PID 1744 wrote to memory of 1776 1744 cmd.exe 29 PID 1744 wrote to memory of 1692 1744 cmd.exe 30 PID 1744 wrote to memory of 1692 1744 cmd.exe 30 PID 1744 wrote to memory of 1692 1744 cmd.exe 30 PID 1744 wrote to memory of 1692 1744 cmd.exe 30 PID 1744 wrote to memory of 1396 1744 cmd.exe 31 PID 1744 wrote to memory of 1396 1744 cmd.exe 31 PID 1744 wrote to memory of 1396 1744 cmd.exe 31 PID 1744 wrote to memory of 1396 1744 cmd.exe 31 PID 1692 wrote to memory of 1192 1692 Implorando.exe.com 32 PID 1692 wrote to memory of 1192 1692 Implorando.exe.com 32 PID 1692 wrote to memory of 1192 1692 Implorando.exe.com 32 PID 1692 wrote to memory of 1192 1692 Implorando.exe.com 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Gurge.pps2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VXCrSREhCmhELCYmOnwTGxvthdbPGaAqdekXEfbitrZxhmGTJzdyvciAAnPCzPGpYhgJdqVnwTOCceQNJDyjecEVVLbuAUNgvPcZkXDInRtCGEtnHwSQJxiDIaOEDPYuuAyFH$" Volli.pps4⤵PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.comImplorando.exe.com H4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com H5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1192
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1396
-
-
-