9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295

Analysis

max time kernel
121s
max time network
164s
platform
windows7_x64
resource
win7v20210410
submitted
13-06-2021 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe
Size

1.7MB
MD5

e1b1b906b90d0996a66f7132aea2add6
SHA1

6f1957598ee5f9bef19313d10665d599353960f9
SHA256

9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295
SHA512

dd877760b1ae888df1d15d482b34e24dd5f382a45d5b31d97d22483fced48dcbc385c0bb5d75a266634d0ed19cc1da4afc87c1242eeeadbb71c148c475b85083

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Chiamando.exe.comChiamando.exe.com

pid process

1768 Chiamando.exe.com
1120 Chiamando.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeChiamando.exe.com

pid process

1056 cmd.exe
1768 Chiamando.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1768	Chiamando.exe.com
1120	Chiamando.exe.com

pid	process
1056	cmd.exe
1768	Chiamando.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chiamando.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chiamando.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Chiamando.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1716 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe

pid process

1308 9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe

pid	process
1716	PING.EXE

pid	process
1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.execmd.execmd.exeChiamando.exe.com

description	pid	process	target process
PID 1308 wrote to memory of 1980	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	dllhost.exe
PID 1308 wrote to memory of 1980	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	dllhost.exe
PID 1308 wrote to memory of 1980	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	dllhost.exe
PID 1308 wrote to memory of 1980	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	dllhost.exe
PID 1308 wrote to memory of 1976	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	cmd.exe
PID 1308 wrote to memory of 1976	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	cmd.exe
PID 1308 wrote to memory of 1976	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	cmd.exe
PID 1308 wrote to memory of 1976	1308	9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe	cmd.exe
PID 1976 wrote to memory of 1056	1976	cmd.exe	cmd.exe
PID 1976 wrote to memory of 1056	1976	cmd.exe	cmd.exe
PID 1976 wrote to memory of 1056	1976	cmd.exe	cmd.exe
PID 1976 wrote to memory of 1056	1976	cmd.exe	cmd.exe
PID 1056 wrote to memory of 1720	1056	cmd.exe	findstr.exe
PID 1056 wrote to memory of 1720	1056	cmd.exe	findstr.exe
PID 1056 wrote to memory of 1720	1056	cmd.exe	findstr.exe
PID 1056 wrote to memory of 1720	1056	cmd.exe	findstr.exe
PID 1056 wrote to memory of 1768	1056	cmd.exe	Chiamando.exe.com
PID 1056 wrote to memory of 1768	1056	cmd.exe	Chiamando.exe.com
PID 1056 wrote to memory of 1768	1056	cmd.exe	Chiamando.exe.com
PID 1056 wrote to memory of 1768	1056	cmd.exe	Chiamando.exe.com
PID 1056 wrote to memory of 1716	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1716	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1716	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1716	1056	cmd.exe	PING.EXE
PID 1768 wrote to memory of 1120	1768	Chiamando.exe.com	Chiamando.exe.com
PID 1768 wrote to memory of 1120	1768	Chiamando.exe.com	Chiamando.exe.com
PID 1768 wrote to memory of 1120	1768	Chiamando.exe.com	Chiamando.exe.com
PID 1768 wrote to memory of 1120	1768	Chiamando.exe.com	Chiamando.exe.com

C:\Users\Admin\AppData\Local\Temp\9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe
"C:\Users\Admin\AppData\Local\Temp\9d27976b21da5fc419da598ea44456a528b9fbf83f24fc5e14f697f610a5b295.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Impedisce.pptm
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wagEkAdCleHJqaSSdYHKLqULPpcBuUcgiylPKnulHizoVYqpafEPVEewbDOeyPvfGaBVoeiSRvrEGMPQokoQdGzDepaiJtyRKtCCbywdiLXnAnxLNYUTGFYqYYSZJqoNskTCp$" Per.pptm
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
Chiamando.exe.com U
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com U
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1120

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chi.pptm
MD5
e110ce72625078d547c886a740e68c57

SHA1
215779e0efb7b7c9d9565ae0bc3fcdb75615aabe

SHA256
53b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9

SHA512
82840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Impedisce.pptm
MD5
d17fc67d0b5c5935aa4b830c9507b948

SHA1
beffdceb7356942c4b66f5325040c73229dc88b1

SHA256
6da630d00bf32ef1601dc2340bd5aa5a3ea2ef7c41ea7cf2ced6da52a1063132

SHA512
39b3dec3f5b12aa9240265eef49663c8c4ac5d595d6a3e57ef4bd4d5469bf2939e5ad3aabc74a3a5c4ef58192e75730e058612af0de02586cf6eb6321ff0fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Per.pptm
MD5
30fce572d6ac11368a49ca0383b967fb

SHA1
2630d72c33213dddce822a4342177dbad60e8bfb

SHA256
36be6115204a59a7396a9c80309c97d4d57531e6bc9c1d4c993428d69f5512f2

SHA512
d4857d4cd095fe97e0916a9609bc7e332b92edfbb0d945ee32b8b4fffd6e1dec82bfdd60964712020b7ad3ba50b881eb8a69b13612ce5e5a9d78609b4e88b476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U
MD5
e110ce72625078d547c886a740e68c57

SHA1
215779e0efb7b7c9d9565ae0bc3fcdb75615aabe

SHA256
53b4d7f48f4beadf64fc47329e221fabee171a22458f75de5bcaf39d22e33ff9

SHA512
82840e046fd15b970ed5124d15db4cc47dacc80f8cec9492bb26a0de97a008690d3ab95a05ad0c53cda8d44eb4d412a417699bb34211e482f449534d6fff1673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.pptm
MD5
369210a42bfd6b07df2fc02d118e5fe6

SHA1
56d6250b99e63361fe4a325f1d54d3ca3f5ee1f8

SHA256
9e5d8edbaccfc2afa94b6361f877ecd6a5a55ff0adc1a930b5e28127a4909e3d

SHA512
c05095cd6d34398e62ae119ed3dc4397ce3b9d7a036e71322f25f372895d9ef342ff34cfd3ee04f74cbf0949750801657ec1a5aec3e4c487f8174415a250248f

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1056-65-0x0000000000000000-mapping.dmp

Download
memory/1120-77-0x0000000000000000-mapping.dmp

Download
memory/1120-81-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1308-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1308-61-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download
memory/1716-72-0x0000000000000000-mapping.dmp

Download
memory/1720-66-0x0000000000000000-mapping.dmp

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1976-63-0x0000000000000000-mapping.dmp

Download
memory/1980-62-0x0000000000000000-mapping.dmp

Download