0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a

Analysis

max time kernel
65s
max time network
44s
platform
windows7_x64
resource
win7v20210410
submitted
13-06-2021 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18dc9cf860133016c0c244b9ad579bd.exe
Size

1.7MB
MD5

d18dc9cf860133016c0c244b9ad579bd
SHA1

1fc0e27cdab3f5ff40cac4448f4023c0693ec071
SHA256

0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a
SHA512

77d9135160dc9e35c3112e8036e0f39778235c3630805001b1230090fba47104ed306e30b4633dcfcd4f0440d731ba5c4a61906ec1140f78bd0b2e3241e91f1f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Leva.exe.comLeva.exe.com

pid process

1748 Leva.exe.com
1732 Leva.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeLeva.exe.com

pid process

1972 cmd.exe
1748 Leva.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1748	Leva.exe.com
1732	Leva.exe.com

pid	process
1972	cmd.exe
1748	Leva.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Leva.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Leva.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Leva.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1752 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.exe

pid process

1088 d18dc9cf860133016c0c244b9ad579bd.exe

pid	process
1752	PING.EXE

pid	process
1088	d18dc9cf860133016c0c244b9ad579bd.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d18dc9cf860133016c0c244b9ad579bd.execmd.execmd.exeLeva.exe.com

description	pid	process	target process
PID 1088 wrote to memory of 2040	1088	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 1088 wrote to memory of 2040	1088	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 1088 wrote to memory of 2040	1088	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 1088 wrote to memory of 2040	1088	d18dc9cf860133016c0c244b9ad579bd.exe	dllhost.exe
PID 1088 wrote to memory of 1064	1088	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 1088 wrote to memory of 1064	1088	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 1088 wrote to memory of 1064	1088	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 1088 wrote to memory of 1064	1088	d18dc9cf860133016c0c244b9ad579bd.exe	cmd.exe
PID 1064 wrote to memory of 1972	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1972	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1972	1064	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1972	1064	cmd.exe	cmd.exe
PID 1972 wrote to memory of 1956	1972	cmd.exe	findstr.exe
PID 1972 wrote to memory of 1956	1972	cmd.exe	findstr.exe
PID 1972 wrote to memory of 1956	1972	cmd.exe	findstr.exe
PID 1972 wrote to memory of 1956	1972	cmd.exe	findstr.exe
PID 1972 wrote to memory of 1748	1972	cmd.exe	Leva.exe.com
PID 1972 wrote to memory of 1748	1972	cmd.exe	Leva.exe.com
PID 1972 wrote to memory of 1748	1972	cmd.exe	Leva.exe.com
PID 1972 wrote to memory of 1748	1972	cmd.exe	Leva.exe.com
PID 1972 wrote to memory of 1752	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1752	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1752	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1752	1972	cmd.exe	PING.EXE
PID 1748 wrote to memory of 1732	1748	Leva.exe.com	Leva.exe.com
PID 1748 wrote to memory of 1732	1748	Leva.exe.com	Leva.exe.com
PID 1748 wrote to memory of 1732	1748	Leva.exe.com	Leva.exe.com
PID 1748 wrote to memory of 1732	1748	Leva.exe.com	Leva.exe.com

C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe
"C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Tornato.png
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^OlSktDCltJXwMRVSSmmpBhzNzZddlihGzPuRoTcXAVxOIQjWDdCKnvzBRyRyhkZWcdHWLtJZrCIFSEtDNxMUEDiXvEZrwfKgWbaapflmGDGWNNIjqgaSnyaRpKAutGXOSxJcjMxbphhqXk$" Basso.png
4⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
Leva.exe.com Q
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com Q
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1732

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Basso.png
MD5
172d4c14c7654c95a3474afbf4c4c104

SHA1
b16ec68de817985c4548bbb598de7cef365ae513

SHA256
4e8a9443d4d16f796dfd9f78e875bd5c0b66b69dd98c2f75fd30295e37c57119

SHA512
026e8afa026808f12e9605b588efe43859b8c7b49eec14607f3fa77f4791b1e63a0e773c775b0935f5cac92d130c4b2e53e1a3b20b9056d02215eb32fec42455

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Q
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornarvi.png
MD5
8979f95100c036e06a65767d1a1c0207

SHA1
8bbd73bdced488364eddf00da1079129e4e4e84b

SHA256
297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb

SHA512
12461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Splendido.png
MD5
3efcd80a02332c9b2b84390a08d541d0

SHA1
d65943bec952053fccddd2e7865f0b50800d2283

SHA256
fe77afd57a0a9353d6370ca8d34d9c94ef5988a16655adc93e4b36aa1e4f5337

SHA512
8fcfb341b8be15378505400395c86a748430f97b0981177f0debfbca37db69983a4b81acb9d9cab95f8ad82e6a74bab1cb32258167a096d327913f44024ab237

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tornato.png
MD5
eaf43205aa58bcf0fcced0535fb97d34

SHA1
d42827604b82edf3722d6cc29be03de04ef66748

SHA256
3eed6c7c13b633199b1ddac6cf2574356817cd9409b456845ff47b25d1bffe09

SHA512
679c8c2e48532dd6db9e9592c0388936e77408620f5cc97e91ac2c6a2305b6c17ae4baab0fa5d5d61c22da0de36fa66f71dda4ed4f6b4b93c71ed7953ae57937

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1064-62-0x0000000000000000-mapping.dmp

Download
memory/1088-59-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1088-60-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1732-76-0x0000000000000000-mapping.dmp

Download
memory/1732-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1748-69-0x0000000000000000-mapping.dmp

Download
memory/1752-71-0x0000000000000000-mapping.dmp

Download
memory/1956-65-0x0000000000000000-mapping.dmp

Download
memory/1972-64-0x0000000000000000-mapping.dmp

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download