Analysis
-
max time kernel
34s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15/05/2021, 15:04
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
2.exe
-
Size
1.9MB
-
MD5
5fd5ef8825f390a3c7dac57659ee7079
-
SHA1
364c83ce8542086e50f4e62050a715613fcc361c
-
SHA256
9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd
-
SHA512
fc1a6e185b4abb0ee9e9c0eafd89cce54744a4b42bfbbf14bac37ce1cc85eb75358fb0d99e83c776694862854355d64d5743e7be0966fc97dec08500840a2454
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1856 Presto.exe.com -
Loads dropped DLL 1 IoCs
pid Process 1728 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1720 PING.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1980 2040 2.exe 26 PID 2040 wrote to memory of 1980 2040 2.exe 26 PID 2040 wrote to memory of 1980 2040 2.exe 26 PID 2040 wrote to memory of 1980 2040 2.exe 26 PID 1980 wrote to memory of 1728 1980 cmd.exe 28 PID 1980 wrote to memory of 1728 1980 cmd.exe 28 PID 1980 wrote to memory of 1728 1980 cmd.exe 28 PID 1980 wrote to memory of 1728 1980 cmd.exe 28 PID 1728 wrote to memory of 1752 1728 cmd.exe 29 PID 1728 wrote to memory of 1752 1728 cmd.exe 29 PID 1728 wrote to memory of 1752 1728 cmd.exe 29 PID 1728 wrote to memory of 1752 1728 cmd.exe 29 PID 1728 wrote to memory of 1856 1728 cmd.exe 30 PID 1728 wrote to memory of 1856 1728 cmd.exe 30 PID 1728 wrote to memory of 1856 1728 cmd.exe 30 PID 1728 wrote to memory of 1856 1728 cmd.exe 30 PID 1728 wrote to memory of 1720 1728 cmd.exe 31 PID 1728 wrote to memory of 1720 1728 cmd.exe 31 PID 1728 wrote to memory of 1720 1728 cmd.exe 31 PID 1728 wrote to memory of 1720 1728 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks4⤵PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.comPresto.exe.com s4⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1720
-
-
-