f01f3642340b639740e35de9b45182fb802fe0001ca46e0383fa426c6a5bd227

Analysis

max time kernel
121s
max time network
164s
platform
windows7_x64
resource
win7v20210408
submitted
31-05-2021 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

1.7MB
MD5

2332662eb831170dc8b914db0388f6ee
SHA1

6dae44239a164218f9eac9c0b82cf70c30f2f5f5
SHA256

f01f3642340b639740e35de9b45182fb802fe0001ca46e0383fa426c6a5bd227
SHA512

f387f96c357f1d2fa971b5666a7c117086a325836344d74a716508ee73d2d58b4ef32827c21dda4b77d5878d3956d6a5509a2228e8076f770d87bc81be43c7ce

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Appare.exe.comAppare.exe.com

pid process

1912 Appare.exe.com
1744 Appare.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeAppare.exe.com

pid process

1748 cmd.exe
1912 Appare.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1912	Appare.exe.com
1744	Appare.exe.com

pid	process
1748	cmd.exe
1912	Appare.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Appare.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Appare.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Appare.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

744 PING.EXE

pid	process
744	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1.execmd.execmd.exeAppare.exe.com

description	pid	process	target process
PID 1988 wrote to memory of 1608	1988	1.exe	cmd.exe
PID 1988 wrote to memory of 1608	1988	1.exe	cmd.exe
PID 1988 wrote to memory of 1608	1988	1.exe	cmd.exe
PID 1988 wrote to memory of 1608	1988	1.exe	cmd.exe
PID 1608 wrote to memory of 1748	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 1748	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 1748	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 1748	1608	cmd.exe	cmd.exe
PID 1748 wrote to memory of 872	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 872	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 872	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 872	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 1912	1748	cmd.exe	Appare.exe.com
PID 1748 wrote to memory of 1912	1748	cmd.exe	Appare.exe.com
PID 1748 wrote to memory of 1912	1748	cmd.exe	Appare.exe.com
PID 1748 wrote to memory of 1912	1748	cmd.exe	Appare.exe.com
PID 1748 wrote to memory of 744	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 744	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 744	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 744	1748	cmd.exe	PING.EXE
PID 1912 wrote to memory of 1744	1912	Appare.exe.com	Appare.exe.com
PID 1912 wrote to memory of 1744	1912	Appare.exe.com	Appare.exe.com
PID 1912 wrote to memory of 1744	1912	Appare.exe.com	Appare.exe.com
PID 1912 wrote to memory of 1744	1912	Appare.exe.com	Appare.exe.com

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Rete.sldx
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mbEoUKFXSXpevHJSeqbEECMwHHGyygGFPAqZDYexDdOqNMPxgbSFaKaWLCAhrmRDsEhVGJftXrwhNLgVRjRIvqjtorgqnPsrmkJonUNEoNHfJtpZgEcQIpidsoNDcgGiLXOCeyvXmjAIaXcrUg$" Illusione.sldx
4⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
Appare.exe.com p
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com p
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1744

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Illusione.sldx
MD5
0b7d3e6493f2c9f36cd3cafe228d28b6

SHA1
d678b4df96f3755da609f18bc0aca038de5bb67d

SHA256
e485024ef52f23d7070a14a0d17cd5b4b769612d78d7d35a7dc6114060590aff

SHA512
1c9882331e590ee6013529179767d312352d07e959e7aa6f4474f39ad7d3cddccc0226d7ac30b19dc2c219afe0faba77dd1f145c9da123457e58935bb79ae157

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rete.sldx
MD5
a02138c1a01c972bc34de72d2ae3308d

SHA1
5d528bea8722285193530a5dc6cfea8525d7aaf2

SHA256
57de7891b0a36293f8640e8f565db8ebee23693b841493fc80bea9ecfde3f7c7

SHA512
799d2e05693cccd79de40a49f433082140b28acfe40fdd05c4de756b99ae8fe62670e66962d2aeb0bc029ba0135cb43d76b5437294dfcf533586785abd099a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.sldx
MD5
5c44e97705622af2ed970376cd0270e4

SHA1
e661a45d8e4a48a95786e95385ceba272992f8bf

SHA256
b4d72ed7d882871facba45cc07584f9d02866064991387de1e9e15586abaefcb

SHA512
b6c94bd61f55c4ce08c930604a5fea73f899e1cc1f7a3dadfbf17e3b0e0d331a27a89dc5da6dd3f6fa4505fd662f156563ca57e3b32308244e4416427cde8d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riprendera.sldx
MD5
e1c9c4f224cefdbdd84c3800e6925e18

SHA1
1b131673a0a08df7f1082960d76075bb7d0640a4

SHA256
4c83f96830328b9b186f820cd15d2bb21e2e00068dc00f7b778540558ea7cac1

SHA512
78c34198446887f4b0e50d55224b5496e445547a331328bacea4c5b1427df66beb9196f4a2bf54734f8324dd4c3cd382e3e59d977dee492b00cdec503e66b561

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\p
MD5
5c44e97705622af2ed970376cd0270e4

SHA1
e661a45d8e4a48a95786e95385ceba272992f8bf

SHA256
b4d72ed7d882871facba45cc07584f9d02866064991387de1e9e15586abaefcb

SHA512
b6c94bd61f55c4ce08c930604a5fea73f899e1cc1f7a3dadfbf17e3b0e0d331a27a89dc5da6dd3f6fa4505fd662f156563ca57e3b32308244e4416427cde8d84

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/744-69-0x0000000000000000-mapping.dmp

Download
memory/872-63-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000000000000-mapping.dmp

Download
memory/1744-74-0x0000000000000000-mapping.dmp

Download
memory/1744-78-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1748-62-0x0000000000000000-mapping.dmp

Download
memory/1912-67-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download