70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
10-06-2021 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff0efd8b2560085a03405d237425e94b.exe
Size

1.7MB
MD5

ff0efd8b2560085a03405d237425e94b
SHA1

7770903f1efb33d01c319bd1cfa8f179d5edb5b9
SHA256

70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b
SHA512

59e1271f92c9ad2f9c5b4590b1142e5bff9ac9779d04b1339e562fa090e566c197bcf1795069269faa0105687adea3e380f6fd2f077a5ce6873bc8e392f3ceb6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Promessa.exe.comPromessa.exe.com

pid process

1676 Promessa.exe.com
756 Promessa.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exePromessa.exe.com

pid process

1816 cmd.exe
1676 Promessa.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1676	Promessa.exe.com
756	Promessa.exe.com

pid	process
1816	cmd.exe
1676	Promessa.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Promessa.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Promessa.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Promessa.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1672 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ff0efd8b2560085a03405d237425e94b.exe

pid process

1944 ff0efd8b2560085a03405d237425e94b.exe

pid	process
1672	PING.EXE

pid	process
1944	ff0efd8b2560085a03405d237425e94b.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ff0efd8b2560085a03405d237425e94b.execmd.execmd.exePromessa.exe.com

description	pid	process	target process
PID 1944 wrote to memory of 1780	1944	ff0efd8b2560085a03405d237425e94b.exe	dllhost.exe
PID 1944 wrote to memory of 1780	1944	ff0efd8b2560085a03405d237425e94b.exe	dllhost.exe
PID 1944 wrote to memory of 1780	1944	ff0efd8b2560085a03405d237425e94b.exe	dllhost.exe
PID 1944 wrote to memory of 1780	1944	ff0efd8b2560085a03405d237425e94b.exe	dllhost.exe
PID 1944 wrote to memory of 1720	1944	ff0efd8b2560085a03405d237425e94b.exe	cmd.exe
PID 1944 wrote to memory of 1720	1944	ff0efd8b2560085a03405d237425e94b.exe	cmd.exe
PID 1944 wrote to memory of 1720	1944	ff0efd8b2560085a03405d237425e94b.exe	cmd.exe
PID 1944 wrote to memory of 1720	1944	ff0efd8b2560085a03405d237425e94b.exe	cmd.exe
PID 1720 wrote to memory of 1816	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1816	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1816	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1816	1720	cmd.exe	cmd.exe
PID 1816 wrote to memory of 1684	1816	cmd.exe	findstr.exe
PID 1816 wrote to memory of 1684	1816	cmd.exe	findstr.exe
PID 1816 wrote to memory of 1684	1816	cmd.exe	findstr.exe
PID 1816 wrote to memory of 1684	1816	cmd.exe	findstr.exe
PID 1816 wrote to memory of 1676	1816	cmd.exe	Promessa.exe.com
PID 1816 wrote to memory of 1676	1816	cmd.exe	Promessa.exe.com
PID 1816 wrote to memory of 1676	1816	cmd.exe	Promessa.exe.com
PID 1816 wrote to memory of 1676	1816	cmd.exe	Promessa.exe.com
PID 1816 wrote to memory of 1672	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1672	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1672	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1672	1816	cmd.exe	PING.EXE
PID 1676 wrote to memory of 756	1676	Promessa.exe.com	Promessa.exe.com
PID 1676 wrote to memory of 756	1676	Promessa.exe.com	Promessa.exe.com
PID 1676 wrote to memory of 756	1676	Promessa.exe.com	Promessa.exe.com
PID 1676 wrote to memory of 756	1676	Promessa.exe.com	Promessa.exe.com

C:\Users\Admin\AppData\Local\Temp\ff0efd8b2560085a03405d237425e94b.exe
"C:\Users\Admin\AppData\Local\Temp\ff0efd8b2560085a03405d237425e94b.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Scolpisca.wmz
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kMVqkqKzlWVQnldNpRBKAnMKNjtimJYwAzQfLyNZXhIPwFTUtmccVulMZlhZVDTAYUdyxwerrCMhQXJizlrqgCyxorfASOtxxiQifNAebsazzXWeByGLmTjvPWWdMBkfns$" Solleva.wmz
4⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
Promessa.exe.com q
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com q
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:756

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mille.wmz
MD5
b661d938c5fb200b21b099afdef00e22

SHA1
ce4ed3e27618ebf0ca391d86c59ef5c498c3ac51

SHA256
584541a2d095c8157041f7d5fcc83823e7d20968c5b0f932909a41c54632156f

SHA512
2d0bca85a14c76480b6b49e29e609c00ca21df90d35f417ac51678e9ac046d984d1ca7b3dbb96c3b4f9fec149932c3932b001d12ef28f61c178587b1869b60dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Scolpisca.wmz
MD5
4345d88c7d859e8c9d31a17144986678

SHA1
7700e0f460eaea974f78ea76cf51714303da0718

SHA256
99ed0c9087d47e6c428927f09538c59cd062e3bfd18bd2c5aea340b594aeee68

SHA512
47ad4a0f818a5f99785799d97a2429cfa9bc0a689ef4a5530558ea45397f9d84d667daf0994403d0f4cffcf235fdf6affad236670626b1c24c9944378b448705

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Solleva.wmz
MD5
bc249ddd2549e214c0b3f46d9e48af3f

SHA1
3665286c25997a180850918b18e3e15e1a272a5c

SHA256
d8299b068e51d683069bac568121f4e5b05632f47e0523d357e07648fc6c3157

SHA512
74157d3d43eff2af829631584b41924c487a3c0073082b94751728fa7c41ac1474eb8c5b4c9f27a28745769edeb6fc1c0bdcd393da2370c4b13e5a6a2478f8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Versato.wmz
MD5
ba78b0e9355f8525746bbfc71d765141

SHA1
6b6c8488b217cfbb256f1d503be9af8626c89dc5

SHA256
ce6b064dace6992f85374366bd982c5ac9d43fa31b8899349ee8b820aab2f590

SHA512
5c40d9330601b9e4fee6acb66e63e3235bdb2cafeb9332d7632018c067cb13f90b59ad985ca14c8f6b5e5f52087767abc5ef2b0f5b61129dd6673d6e9f485c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\q
MD5
b661d938c5fb200b21b099afdef00e22

SHA1
ce4ed3e27618ebf0ca391d86c59ef5c498c3ac51

SHA256
584541a2d095c8157041f7d5fcc83823e7d20968c5b0f932909a41c54632156f

SHA512
2d0bca85a14c76480b6b49e29e609c00ca21df90d35f417ac51678e9ac046d984d1ca7b3dbb96c3b4f9fec149932c3932b001d12ef28f61c178587b1869b60dd

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/756-76-0x0000000000000000-mapping.dmp

Download
memory/756-80-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1672-71-0x0000000000000000-mapping.dmp

Download
memory/1676-69-0x0000000000000000-mapping.dmp

Download
memory/1684-65-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1780-61-0x0000000000000000-mapping.dmp

Download
memory/1816-64-0x0000000000000000-mapping.dmp

Download
memory/1944-59-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1944-60-0x0000000074BC1000-0x0000000074BC3000-memory.dmp

Filesize
8KB

Download