Analysis
-
max time kernel
65s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-06-2021 05:45
Static task
static1
Behavioral task
behavioral1
Sample
d18dc9cf860133016c0c244b9ad579bd.exe
Resource
win7v20210410
General
-
Target
d18dc9cf860133016c0c244b9ad579bd.exe
-
Size
1.7MB
-
MD5
d18dc9cf860133016c0c244b9ad579bd
-
SHA1
1fc0e27cdab3f5ff40cac4448f4023c0693ec071
-
SHA256
0329f707c1e908925f23bc015b422526620f308142a2e75df56257ac3aec4c3a
-
SHA512
77d9135160dc9e35c3112e8036e0f39778235c3630805001b1230090fba47104ed306e30b4633dcfcd4f0440d731ba5c4a61906ec1140f78bd0b2e3241e91f1f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Leva.exe.comLeva.exe.compid process 1748 Leva.exe.com 1732 Leva.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeLeva.exe.compid process 1972 cmd.exe 1748 Leva.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Leva.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Leva.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Leva.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d18dc9cf860133016c0c244b9ad579bd.exepid process 1088 d18dc9cf860133016c0c244b9ad579bd.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
d18dc9cf860133016c0c244b9ad579bd.execmd.execmd.exeLeva.exe.comdescription pid process target process PID 1088 wrote to memory of 2040 1088 d18dc9cf860133016c0c244b9ad579bd.exe dllhost.exe PID 1088 wrote to memory of 2040 1088 d18dc9cf860133016c0c244b9ad579bd.exe dllhost.exe PID 1088 wrote to memory of 2040 1088 d18dc9cf860133016c0c244b9ad579bd.exe dllhost.exe PID 1088 wrote to memory of 2040 1088 d18dc9cf860133016c0c244b9ad579bd.exe dllhost.exe PID 1088 wrote to memory of 1064 1088 d18dc9cf860133016c0c244b9ad579bd.exe cmd.exe PID 1088 wrote to memory of 1064 1088 d18dc9cf860133016c0c244b9ad579bd.exe cmd.exe PID 1088 wrote to memory of 1064 1088 d18dc9cf860133016c0c244b9ad579bd.exe cmd.exe PID 1088 wrote to memory of 1064 1088 d18dc9cf860133016c0c244b9ad579bd.exe cmd.exe PID 1064 wrote to memory of 1972 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1972 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1972 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1972 1064 cmd.exe cmd.exe PID 1972 wrote to memory of 1956 1972 cmd.exe findstr.exe PID 1972 wrote to memory of 1956 1972 cmd.exe findstr.exe PID 1972 wrote to memory of 1956 1972 cmd.exe findstr.exe PID 1972 wrote to memory of 1956 1972 cmd.exe findstr.exe PID 1972 wrote to memory of 1748 1972 cmd.exe Leva.exe.com PID 1972 wrote to memory of 1748 1972 cmd.exe Leva.exe.com PID 1972 wrote to memory of 1748 1972 cmd.exe Leva.exe.com PID 1972 wrote to memory of 1748 1972 cmd.exe Leva.exe.com PID 1972 wrote to memory of 1752 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1752 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1752 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 1752 1972 cmd.exe PING.EXE PID 1748 wrote to memory of 1732 1748 Leva.exe.com Leva.exe.com PID 1748 wrote to memory of 1732 1748 Leva.exe.com Leva.exe.com PID 1748 wrote to memory of 1732 1748 Leva.exe.com Leva.exe.com PID 1748 wrote to memory of 1732 1748 Leva.exe.com Leva.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe"C:\Users\Admin\AppData\Local\Temp\d18dc9cf860133016c0c244b9ad579bd.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Tornato.png2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^OlSktDCltJXwMRVSSmmpBhzNzZddlihGzPuRoTcXAVxOIQjWDdCKnvzBRyRyhkZWcdHWLtJZrCIFSEtDNxMUEDiXvEZrwfKgWbaapflmGDGWNNIjqgaSnyaRpKAutGXOSxJcjMxbphhqXk$" Basso.png4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comLeva.exe.com Q4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.com Q5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Basso.pngMD5
172d4c14c7654c95a3474afbf4c4c104
SHA1b16ec68de817985c4548bbb598de7cef365ae513
SHA2564e8a9443d4d16f796dfd9f78e875bd5c0b66b69dd98c2f75fd30295e37c57119
SHA512026e8afa026808f12e9605b588efe43859b8c7b49eec14607f3fa77f4791b1e63a0e773c775b0935f5cac92d130c4b2e53e1a3b20b9056d02215eb32fec42455
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QMD5
8979f95100c036e06a65767d1a1c0207
SHA18bbd73bdced488364eddf00da1079129e4e4e84b
SHA256297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb
SHA51212461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornarvi.pngMD5
8979f95100c036e06a65767d1a1c0207
SHA18bbd73bdced488364eddf00da1079129e4e4e84b
SHA256297ba66b2c885e6b37e81d5a6cb96d9276a12153165851b6242f48c436c4c9fb
SHA51212461a986811e14cde1dd8398a4d6d2df9bd64a5fb7fb5900ab70c4c82b48236db2a06a2cab804145a6da16d55c2e6d97397913b2990ed2f44f72a01f125df65
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Splendido.pngMD5
3efcd80a02332c9b2b84390a08d541d0
SHA1d65943bec952053fccddd2e7865f0b50800d2283
SHA256fe77afd57a0a9353d6370ca8d34d9c94ef5988a16655adc93e4b36aa1e4f5337
SHA5128fcfb341b8be15378505400395c86a748430f97b0981177f0debfbca37db69983a4b81acb9d9cab95f8ad82e6a74bab1cb32258167a096d327913f44024ab237
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tornato.pngMD5
eaf43205aa58bcf0fcced0535fb97d34
SHA1d42827604b82edf3722d6cc29be03de04ef66748
SHA2563eed6c7c13b633199b1ddac6cf2574356817cd9409b456845ff47b25d1bffe09
SHA512679c8c2e48532dd6db9e9592c0388936e77408620f5cc97e91ac2c6a2305b6c17ae4baab0fa5d5d61c22da0de36fa66f71dda4ed4f6b4b93c71ed7953ae57937
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Leva.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1064-62-0x0000000000000000-mapping.dmp
-
memory/1088-59-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1088-60-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1732-76-0x0000000000000000-mapping.dmp
-
memory/1732-80-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1748-69-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x0000000000000000-mapping.dmp
-
memory/1956-65-0x0000000000000000-mapping.dmp
-
memory/1972-64-0x0000000000000000-mapping.dmp
-
memory/2040-61-0x0000000000000000-mapping.dmp