Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-06-2021 14:16
Static task
static1
Behavioral task
behavioral1
Sample
E1B1B906B90D0996A66F7132AEA2ADD6.exe
Resource
win7v20210410
General
-
Target
E1B1B906B90D0996A66F7132AEA2ADD6.exe
-
Size
1.7MB
-
MD5
e1b1b906b90d0996a66f7132aea2add6
-
SHA1
6f1957598ee5f9bef19313d10665d599353960f9
-
SHA256
9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295
-
SHA512
dd877760b1ae888df1d15d482b34e24dd5f382a45d5b31d97d22483fced48dcbc385c0bb5d75a266634d0ed19cc1da4afc87c1242eeeadbb71c148c475b85083
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Chiamando.exe.comChiamando.exe.compid process 1768 Chiamando.exe.com 1224 Chiamando.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeChiamando.exe.compid process 1756 cmd.exe 1768 Chiamando.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Chiamando.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Chiamando.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Chiamando.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
E1B1B906B90D0996A66F7132AEA2ADD6.exepid process 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
E1B1B906B90D0996A66F7132AEA2ADD6.execmd.execmd.exeChiamando.exe.comdescription pid process target process PID 1748 wrote to memory of 1972 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe dllhost.exe PID 1748 wrote to memory of 1972 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe dllhost.exe PID 1748 wrote to memory of 1972 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe dllhost.exe PID 1748 wrote to memory of 1972 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe dllhost.exe PID 1748 wrote to memory of 1956 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe cmd.exe PID 1748 wrote to memory of 1956 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe cmd.exe PID 1748 wrote to memory of 1956 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe cmd.exe PID 1748 wrote to memory of 1956 1748 E1B1B906B90D0996A66F7132AEA2ADD6.exe cmd.exe PID 1956 wrote to memory of 1756 1956 cmd.exe cmd.exe PID 1956 wrote to memory of 1756 1956 cmd.exe cmd.exe PID 1956 wrote to memory of 1756 1956 cmd.exe cmd.exe PID 1956 wrote to memory of 1756 1956 cmd.exe cmd.exe PID 1756 wrote to memory of 1704 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1704 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1704 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1704 1756 cmd.exe findstr.exe PID 1756 wrote to memory of 1768 1756 cmd.exe Chiamando.exe.com PID 1756 wrote to memory of 1768 1756 cmd.exe Chiamando.exe.com PID 1756 wrote to memory of 1768 1756 cmd.exe Chiamando.exe.com PID 1756 wrote to memory of 1768 1756 cmd.exe Chiamando.exe.com PID 1756 wrote to memory of 1644 1756 cmd.exe PING.EXE PID 1756 wrote to memory of 1644 1756 cmd.exe PING.EXE PID 1756 wrote to memory of 1644 1756 cmd.exe PING.EXE PID 1756 wrote to memory of 1644 1756 cmd.exe PING.EXE PID 1768 wrote to memory of 1224 1768 Chiamando.exe.com Chiamando.exe.com PID 1768 wrote to memory of 1224 1768 Chiamando.exe.com Chiamando.exe.com PID 1768 wrote to memory of 1224 1768 Chiamando.exe.com Chiamando.exe.com PID 1768 wrote to memory of 1224 1768 Chiamando.exe.com Chiamando.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\E1B1B906B90D0996A66F7132AEA2ADD6.exe"C:\Users\Admin\AppData\Local\Temp\E1B1B906B90D0996A66F7132AEA2ADD6.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Impedisce.pptm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^wagEkAdCleHJqaSSdYHKLqULPpcBuUcgiylPKnulHizoVYqpafEPVEewbDOeyPvfGaBVoeiSRvrEGMPQokoQdGzDepaiJtyRKtCCbywdiLXnAnxLNYUTGFYqYYSZJqoNskTCp$" Per.pptm4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comChiamando.exe.com U4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com U5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chi.pptmMD5
e110ce72625078d547c886a740e68c57
SHA1215779e0efb7b7c9d9565ae0bc3fcdb75615aabe
SHA25653b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9
SHA51282840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Impedisce.pptmMD5
d17fc67d0b5c5935aa4b830c9507b948
SHA1beffdceb7356942c4b66f5325040c73229dc88b1
SHA2566da630d00bf32ef1601dc2340bd5aa5a3ea2ef7c41ea7cf2ced6da52a1063132
SHA51239b3dec3f5b12aa9240265eef49663c8c4ac5d595d6a3e57ef4bd4d5469bf2939e5ad3aabc74a3a5c4ef58192e75730e058612af0de02586cf6eb6321ff0fc4d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Per.pptmMD5
30fce572d6ac11368a49ca0383b967fb
SHA12630d72c33213dddce822a4342177dbad60e8bfb
SHA25636be6115204a59a7396a9c80309c97d4d57531e6bc9c1d4c993428d69f5512f2
SHA512d4857d4cd095fe97e0916a9609bc7e332b92edfbb0d945ee32b8b4fffd6e1dec82bfdd60964712020b7ad3ba50b881eb8a69b13612ce5e5a9d78609b4e88b476
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UMD5
e110ce72625078d547c886a740e68c57
SHA1215779e0efb7b7c9d9565ae0bc3fcdb75615aabe
SHA25653b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9
SHA51282840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.pptmMD5
369210a42bfd6b07df2fc02d118e5fe6
SHA156d6250b99e63361fe4a325f1d54d3ca3f5ee1f8
SHA2569e5d8edbaccfc2afa94b6361f877ecd6a5a55ff0adc1a930b5e28127a4909e3d
SHA512c05095cd6d34398e62ae119ed3dc4397ce3b9d7a036e71322f25f372895d9ef342ff34cfd3ee04f74cbf0949750801657ec1a5aec3e4c487f8174415a250248f
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1224-76-0x0000000000000000-mapping.dmp
-
memory/1224-80-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1644-71-0x0000000000000000-mapping.dmp
-
memory/1704-65-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1748-60-0x0000000074501000-0x0000000074503000-memory.dmpFilesize
8KB
-
memory/1756-64-0x0000000000000000-mapping.dmp
-
memory/1768-69-0x0000000000000000-mapping.dmp
-
memory/1956-62-0x0000000000000000-mapping.dmp
-
memory/1972-61-0x0000000000000000-mapping.dmp