1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297

Analysis

max time kernel
122s
max time network
121s
platform
windows7_x64
resource
win7v20210410
submitted
29-05-2021 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7b9e383bdaa6d350c768d010bd960a.exe
Size

1.7MB
MD5

9b7b9e383bdaa6d350c768d010bd960a
SHA1

cec89fc1ffac4c4d30f88b99dfeafb74661dc57f
SHA256

1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
SHA512

2206e5c77c1035f3588b770d4a334bd4e73c007e6e38a3f11b553da6cf99ecc0d33ab55bf6b9b29b8ab456b0a1d4947c0ec4dcb4a2ac78fa287568e92109ac36

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Apparenze.exe.comApparenze.exe.com

pid process

1952 Apparenze.exe.com
1764 Apparenze.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeApparenze.exe.com

pid process

1168 cmd.exe
1952 Apparenze.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1952	Apparenze.exe.com
1764	Apparenze.exe.com

pid	process
1168	cmd.exe
1952	Apparenze.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Apparenze.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Apparenze.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Apparenze.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2004 PING.EXE

pid	process
2004	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

9b7b9e383bdaa6d350c768d010bd960a.execmd.execmd.exeApparenze.exe.com

description	pid	process	target process
PID 1684 wrote to memory of 1812	1684	9b7b9e383bdaa6d350c768d010bd960a.exe	cmd.exe
PID 1684 wrote to memory of 1812	1684	9b7b9e383bdaa6d350c768d010bd960a.exe	cmd.exe
PID 1684 wrote to memory of 1812	1684	9b7b9e383bdaa6d350c768d010bd960a.exe	cmd.exe
PID 1684 wrote to memory of 1812	1684	9b7b9e383bdaa6d350c768d010bd960a.exe	cmd.exe
PID 1812 wrote to memory of 1168	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1168	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1168	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1168	1812	cmd.exe	cmd.exe
PID 1168 wrote to memory of 1972	1168	cmd.exe	findstr.exe
PID 1168 wrote to memory of 1972	1168	cmd.exe	findstr.exe
PID 1168 wrote to memory of 1972	1168	cmd.exe	findstr.exe
PID 1168 wrote to memory of 1972	1168	cmd.exe	findstr.exe
PID 1168 wrote to memory of 1952	1168	cmd.exe	Apparenze.exe.com
PID 1168 wrote to memory of 1952	1168	cmd.exe	Apparenze.exe.com
PID 1168 wrote to memory of 1952	1168	cmd.exe	Apparenze.exe.com
PID 1168 wrote to memory of 1952	1168	cmd.exe	Apparenze.exe.com
PID 1168 wrote to memory of 2004	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 2004	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 2004	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 2004	1168	cmd.exe	PING.EXE
PID 1952 wrote to memory of 1764	1952	Apparenze.exe.com	Apparenze.exe.com
PID 1952 wrote to memory of 1764	1952	Apparenze.exe.com	Apparenze.exe.com
PID 1952 wrote to memory of 1764	1952	Apparenze.exe.com	Apparenze.exe.com
PID 1952 wrote to memory of 1764	1952	Apparenze.exe.com	Apparenze.exe.com

C:\Users\Admin\AppData\Local\Temp\9b7b9e383bdaa6d350c768d010bd960a.exe
"C:\Users\Admin\AppData\Local\Temp\9b7b9e383bdaa6d350c768d010bd960a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Sai.vstm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^QtwmeCQjOoyJLhVQcErYyxpRNzKchxxtvBSPIrOReEqbOwxQKsAKhuRcUlMJScZzNwjpxuoaPjVAxMrMYTLVUKQdKbUbsyYHFGJNOlvDpiUwkdqouZKYJrmrlWmXjKwKhhVOedYObiMMPPtz$" Voce.vstm
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com
      Apparenze.exe.com F
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com F
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1764
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audace.vstm

MD5
68041263c28a301ac4d2fea574e6c64b

SHA1
cbf20a74457fd67072b47a9105b95ea160fcc6b8

SHA256
2b98eb839ac7c3968140420c5d5a67c2fffeb23209726b285ef21b311582d396

SHA512
5f8339931e9288130e2feee45525c59cd6f13dd4110d1a157cd79d8daba0fc3a5decb55494320ff4b859f90f6973bd0d9eca97c2eff408783f4cdbc2266a2e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\F

MD5
68041263c28a301ac4d2fea574e6c64b

SHA1
cbf20a74457fd67072b47a9105b95ea160fcc6b8

SHA256
2b98eb839ac7c3968140420c5d5a67c2fffeb23209726b285ef21b311582d396

SHA512
5f8339931e9288130e2feee45525c59cd6f13dd4110d1a157cd79d8daba0fc3a5decb55494320ff4b859f90f6973bd0d9eca97c2eff408783f4cdbc2266a2e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sai.vstm

MD5
4cde7f78e458784cfa78404d9be967f0

SHA1
f9135fb8900386d519871e4f1d89ba15e0cf3768

SHA256
7b4f27305e6a37952f693f6ecb764cc0df704f3b48834ea5a39b6edc52635d56

SHA512
bb629e79e6f155b2bbc645613a0730534346d097313cd36b6e281202c8d16810ad0d93680dd2d8c3ca8fa7d3ed2c3d0c97628df7af063ecc5044587072ec4f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Trarre.vstm

MD5
853136cb7630fa400c9e6b608cb8a8e7

SHA1
fc00868562f6d739ac919ef14f0eb820687ab3f1

SHA256
3c3032cfb11be0ae20ab195a7a04ec41ad470b19d2891382a879824dca152ce2

SHA512
deea04755ddb2dabfffc3b8c9e521c55790cd19d88c97397dbfe28eec07c7c05442a464edb34591c5edb930bce39c65cc13c3ba1e711a756a404920ae879db7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Voce.vstm

MD5
6f76691c6314d7009479e0e48426f6e4

SHA1
568d3f7ceb7bd7a9ae88a0395ce8d81cb574b6fe

SHA256
d84e73d003d54ccd6e109093517163b0060c45b42c4240beb677516acd98fc2c

SHA512
fe7bc4004117e6c13f00a0178dd73e7e3f3782cc3199dea02e35e82d109fe5958d1201d031a85cca0f23674c0f7928b9c53c9ce6bb49cf341e5a805d6429150a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1168-63-0x0000000000000000-mapping.dmp

Download
memory/1684-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1764-79-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1764-75-0x0000000000000000-mapping.dmp

Download
memory/1812-61-0x0000000000000000-mapping.dmp

Download
memory/1952-68-0x0000000000000000-mapping.dmp

Download
memory/1972-64-0x0000000000000000-mapping.dmp

Download
memory/2004-70-0x0000000000000000-mapping.dmp

Download