Analysis
-
max time kernel
121s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-05-2021 20:06
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210408
General
-
Target
1.exe
-
Size
1.7MB
-
MD5
2332662eb831170dc8b914db0388f6ee
-
SHA1
6dae44239a164218f9eac9c0b82cf70c30f2f5f5
-
SHA256
f01f3642340b639740e35de9b45182fb802fe0001ca46e0383fa426c6a5bd227
-
SHA512
f387f96c357f1d2fa971b5666a7c117086a325836344d74a716508ee73d2d58b4ef32827c21dda4b77d5878d3956d6a5509a2228e8076f770d87bc81be43c7ce
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Appare.exe.comAppare.exe.compid process 1912 Appare.exe.com 1744 Appare.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeAppare.exe.compid process 1748 cmd.exe 1912 Appare.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Appare.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Appare.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Appare.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1.execmd.execmd.exeAppare.exe.comdescription pid process target process PID 1988 wrote to memory of 1608 1988 1.exe cmd.exe PID 1988 wrote to memory of 1608 1988 1.exe cmd.exe PID 1988 wrote to memory of 1608 1988 1.exe cmd.exe PID 1988 wrote to memory of 1608 1988 1.exe cmd.exe PID 1608 wrote to memory of 1748 1608 cmd.exe cmd.exe PID 1608 wrote to memory of 1748 1608 cmd.exe cmd.exe PID 1608 wrote to memory of 1748 1608 cmd.exe cmd.exe PID 1608 wrote to memory of 1748 1608 cmd.exe cmd.exe PID 1748 wrote to memory of 872 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 872 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 872 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 872 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 1912 1748 cmd.exe Appare.exe.com PID 1748 wrote to memory of 1912 1748 cmd.exe Appare.exe.com PID 1748 wrote to memory of 1912 1748 cmd.exe Appare.exe.com PID 1748 wrote to memory of 1912 1748 cmd.exe Appare.exe.com PID 1748 wrote to memory of 744 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 744 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 744 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 744 1748 cmd.exe PING.EXE PID 1912 wrote to memory of 1744 1912 Appare.exe.com Appare.exe.com PID 1912 wrote to memory of 1744 1912 Appare.exe.com Appare.exe.com PID 1912 wrote to memory of 1744 1912 Appare.exe.com Appare.exe.com PID 1912 wrote to memory of 1744 1912 Appare.exe.com Appare.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Rete.sldx2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mbEoUKFXSXpevHJSeqbEECMwHHGyygGFPAqZDYexDdOqNMPxgbSFaKaWLCAhrmRDsEhVGJftXrwhNLgVRjRIvqjtorgqnPsrmkJonUNEoNHfJtpZgEcQIpidsoNDcgGiLXOCeyvXmjAIaXcrUg$" Illusione.sldx4⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comAppare.exe.com p4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.com p5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Illusione.sldxMD5
0b7d3e6493f2c9f36cd3cafe228d28b6
SHA1d678b4df96f3755da609f18bc0aca038de5bb67d
SHA256e485024ef52f23d7070a14a0d17cd5b4b769612d78d7d35a7dc6114060590aff
SHA5121c9882331e590ee6013529179767d312352d07e959e7aa6f4474f39ad7d3cddccc0226d7ac30b19dc2c219afe0faba77dd1f145c9da123457e58935bb79ae157
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rete.sldxMD5
a02138c1a01c972bc34de72d2ae3308d
SHA15d528bea8722285193530a5dc6cfea8525d7aaf2
SHA25657de7891b0a36293f8640e8f565db8ebee23693b841493fc80bea9ecfde3f7c7
SHA512799d2e05693cccd79de40a49f433082140b28acfe40fdd05c4de756b99ae8fe62670e66962d2aeb0bc029ba0135cb43d76b5437294dfcf533586785abd099a9f
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.sldxMD5
5c44e97705622af2ed970376cd0270e4
SHA1e661a45d8e4a48a95786e95385ceba272992f8bf
SHA256b4d72ed7d882871facba45cc07584f9d02866064991387de1e9e15586abaefcb
SHA512b6c94bd61f55c4ce08c930604a5fea73f899e1cc1f7a3dadfbf17e3b0e0d331a27a89dc5da6dd3f6fa4505fd662f156563ca57e3b32308244e4416427cde8d84
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riprendera.sldxMD5
e1c9c4f224cefdbdd84c3800e6925e18
SHA11b131673a0a08df7f1082960d76075bb7d0640a4
SHA2564c83f96830328b9b186f820cd15d2bb21e2e00068dc00f7b778540558ea7cac1
SHA51278c34198446887f4b0e50d55224b5496e445547a331328bacea4c5b1427df66beb9196f4a2bf54734f8324dd4c3cd382e3e59d977dee492b00cdec503e66b561
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pMD5
5c44e97705622af2ed970376cd0270e4
SHA1e661a45d8e4a48a95786e95385ceba272992f8bf
SHA256b4d72ed7d882871facba45cc07584f9d02866064991387de1e9e15586abaefcb
SHA512b6c94bd61f55c4ce08c930604a5fea73f899e1cc1f7a3dadfbf17e3b0e0d331a27a89dc5da6dd3f6fa4505fd662f156563ca57e3b32308244e4416427cde8d84
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/744-69-0x0000000000000000-mapping.dmp
-
memory/872-63-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000000000000-mapping.dmp
-
memory/1744-74-0x0000000000000000-mapping.dmp
-
memory/1744-78-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1748-62-0x0000000000000000-mapping.dmp
-
memory/1912-67-0x0000000000000000-mapping.dmp
-
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB