f3a5b0f539135e55de5cbfe1f710b00c5e6823aa826732b96612dcd1f2373611

Analysis

max time kernel
57s
max time network
28s
platform
windows7_x64
resource
win7v20210408
submitted
24-05-2021 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Smettere.exe.comSmettere.exe.com

pid process

1704 Smettere.exe.com
752 Smettere.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeSmettere.exe.com

pid process

1660 cmd.exe
1704 Smettere.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1704	Smettere.exe.com
752	Smettere.exe.com

pid	process
1660	cmd.exe
1704	Smettere.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Smettere.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Smettere.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Smettere.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1652 PING.EXE

pid	process
1652	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.execmd.execmd.exeSmettere.exe.com

description	pid	process	target process
PID 1840 wrote to memory of 1600	1840	02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe	cmd.exe
PID 1600 wrote to memory of 1660	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 1660	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 1660	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 1660	1600	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1532	1660	cmd.exe	findstr.exe
PID 1660 wrote to memory of 1532	1660	cmd.exe	findstr.exe
PID 1660 wrote to memory of 1532	1660	cmd.exe	findstr.exe
PID 1660 wrote to memory of 1532	1660	cmd.exe	findstr.exe
PID 1660 wrote to memory of 1704	1660	cmd.exe	Smettere.exe.com
PID 1660 wrote to memory of 1704	1660	cmd.exe	Smettere.exe.com
PID 1660 wrote to memory of 1704	1660	cmd.exe	Smettere.exe.com
PID 1660 wrote to memory of 1704	1660	cmd.exe	Smettere.exe.com
PID 1660 wrote to memory of 1652	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1652	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1652	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1652	1660	cmd.exe	PING.EXE
PID 1704 wrote to memory of 752	1704	Smettere.exe.com	Smettere.exe.com
PID 1704 wrote to memory of 752	1704	Smettere.exe.com	Smettere.exe.com
PID 1704 wrote to memory of 752	1704	Smettere.exe.com	Smettere.exe.com
PID 1704 wrote to memory of 752	1704	Smettere.exe.com	Smettere.exe.com

C:\Users\Admin\AppData\Local\Temp\02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe
"C:\Users\Admin\AppData\Local\Temp\02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Resiste.eml
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tuZncXyVqevGbmRmVgeZmGGAtbGtiCGxopcXKByQbGkhyXrvtkKlQRqnAnzYdqNncengrTOxpkCTxacizpqWSvDsoXbkiiAvSNRrnPzkvfwEgurirjF$" Gloria.eml
4⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
Smettere.exe.com y
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com y
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:752

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gloria.eml
MD5
d1a32833d618f67f3206651d0929560e

SHA1
61ece9ecccf36ec788fe379214669576fdf6010f

SHA256
d5bf12b5098de6c70c9820385d5dbf7021c99c4bbfa18306fde8639d53758365

SHA512
3545c4df416fc03708dd873f03784b5e6c4265d26bcdcaee411aa185b19b89a842766afbf0605e8516e5c8a1748185dedb57e27e72fc6a9281728b14544e2951

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Impaziente.eml
MD5
31f2aa943084ee1864fc2d8312c08f9f

SHA1
33e61798fdc571c21294e5f728a356cb6c07acff

SHA256
26a8acf59d0fc64ec63ff013c6a2ae2baf18ddda081ff730cef5d98d8124b879

SHA512
c3625730308d92d7cf468131a86f0d5d735bffa590bac31d5548589c105e3d803caf781e845ed08843fe56b84af85ff45ac210a3a78a2e6b7ae6a9b8ce607494

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resiste.eml
MD5
f09f35c396242c8d2730efa4c6f85e6d

SHA1
7e21076bd7f43e82df7f3817eeb56e7079a36376

SHA256
80f1bf72a7e1e9a9f2e1f38d58dcb51fd7bf368b48c2472b85e4c55298b1c033

SHA512
4beb7c930f766e77a5bee978743c754bf6d6609622357e300634a8e50cf1a1bab445023d59fe383779810b206c7b7a20c786912e7350918a41ab98d120ef4717

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riconosco.eml
MD5
44921f6e6af1d0c64b003fa5389228af

SHA1
2070e1e06141d187e84b1cf7b251ea7312ae7b8a

SHA256
4e3bd62a8a8584322420ea3d9bf85c094f14caecb386df2199ff375fdfd1bef5

SHA512
391304e103aa489be1a1984f7bf7fbb1fdbdc819485cad5359cd0f68b4a1c6bb5640d74de9e1940979972592358923bf3407f74febc4890296824f2618fecb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\y
MD5
31f2aa943084ee1864fc2d8312c08f9f

SHA1
33e61798fdc571c21294e5f728a356cb6c07acff

SHA256
26a8acf59d0fc64ec63ff013c6a2ae2baf18ddda081ff730cef5d98d8124b879

SHA512
c3625730308d92d7cf468131a86f0d5d735bffa590bac31d5548589c105e3d803caf781e845ed08843fe56b84af85ff45ac210a3a78a2e6b7ae6a9b8ce607494

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Smettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/752-78-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/752-74-0x0000000000000000-mapping.dmp

Download
memory/1532-63-0x0000000000000000-mapping.dmp

Download
memory/1600-60-0x0000000000000000-mapping.dmp

Download
memory/1652-69-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1704-67-0x0000000000000000-mapping.dmp

Download
memory/1840-59-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download