Analysis
-
max time kernel
62s -
max time network
57s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-06-2021 19:52
Static task
static1
Behavioral task
behavioral1
Sample
a5c5b9d46d3fd53094950eb98b9e47b0.exe
Resource
win7v20210410
General
-
Target
a5c5b9d46d3fd53094950eb98b9e47b0.exe
-
Size
1.7MB
-
MD5
a5c5b9d46d3fd53094950eb98b9e47b0
-
SHA1
f81f9a34ceeada2c74075ec882c6452a61961d85
-
SHA256
90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
-
SHA512
f693829940df867157a68f1a49357a3413e04066e01beabb6a3bdbe041aff914a8c1889906ed6dad169e9073b07698ccd82e8e073e63245dc5d1fbcaae7a85ed
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Sta.exe.comSta.exe.compid process 1704 Sta.exe.com 1544 Sta.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeSta.exe.compid process 1808 cmd.exe 1704 Sta.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Sta.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sta.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sta.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a5c5b9d46d3fd53094950eb98b9e47b0.exepid process 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a5c5b9d46d3fd53094950eb98b9e47b0.execmd.execmd.exeSta.exe.comdescription pid process target process PID 1092 wrote to memory of 1928 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe dllhost.exe PID 1092 wrote to memory of 1928 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe dllhost.exe PID 1092 wrote to memory of 1928 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe dllhost.exe PID 1092 wrote to memory of 1928 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe dllhost.exe PID 1092 wrote to memory of 1804 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe cmd.exe PID 1092 wrote to memory of 1804 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe cmd.exe PID 1092 wrote to memory of 1804 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe cmd.exe PID 1092 wrote to memory of 1804 1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe cmd.exe PID 1804 wrote to memory of 1808 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1808 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1808 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 1808 1804 cmd.exe cmd.exe PID 1808 wrote to memory of 1840 1808 cmd.exe findstr.exe PID 1808 wrote to memory of 1840 1808 cmd.exe findstr.exe PID 1808 wrote to memory of 1840 1808 cmd.exe findstr.exe PID 1808 wrote to memory of 1840 1808 cmd.exe findstr.exe PID 1808 wrote to memory of 1704 1808 cmd.exe Sta.exe.com PID 1808 wrote to memory of 1704 1808 cmd.exe Sta.exe.com PID 1808 wrote to memory of 1704 1808 cmd.exe Sta.exe.com PID 1808 wrote to memory of 1704 1808 cmd.exe Sta.exe.com PID 1808 wrote to memory of 1452 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1452 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1452 1808 cmd.exe PING.EXE PID 1808 wrote to memory of 1452 1808 cmd.exe PING.EXE PID 1704 wrote to memory of 1544 1704 Sta.exe.com Sta.exe.com PID 1704 wrote to memory of 1544 1704 Sta.exe.com Sta.exe.com PID 1704 wrote to memory of 1544 1704 Sta.exe.com Sta.exe.com PID 1704 wrote to memory of 1544 1704 Sta.exe.com Sta.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5c5b9d46d3fd53094950eb98b9e47b0.exe"C:\Users\Admin\AppData\Local\Temp\a5c5b9d46d3fd53094950eb98b9e47b0.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Deserto.vsdm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^lfGCPdckFjiRnqNvgIkrJzAbiqBgiajvnfnQJGsHmLuyMeuJOgYJIAYROocOOuthZKzpBWNHsEDXjcLtUSATzDOYdHeAkCSzHSywJWiRBdatWqEzbdUWGkTvWxSUUj$" Volevo.vsdm4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comSta.exe.com X4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com X5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Deserto.vsdmMD5
6017d2cc300fe0991dcbba51527f7f72
SHA1c1abe4ed7cbbca25ecd4d48ada5774d458fe3ac0
SHA256eb57c3a2a513a9ad78a3070faa905a2f1faa30793b7be1225cdd31775ae72ff8
SHA5129399f0182e650ffaaff35f7e799c6a9b7a825ebcf6d1f327436f66c1d6984a5faa04b5818c3ce5c163df00b987add7ee96913602f06389f1e220d5db3dc604d4
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ora.vsdmMD5
5372cb78104b837070993e088e1b7b3d
SHA1da41fd6f286596f4af4b46e72e06920c02b59603
SHA256a06a4beab42076cd978b44c1bcf7bd320050533a0ab796362b330bce508b00d2
SHA5124e2c1e55f51aced12cf6110473047490d6da971282762e92c43f1bd84936cb6f5d38f1d3d774a88b09416f621e84652daa871180f2fe9a2f7bea52b138e31607
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Scolpire.vsdmMD5
22915acfff54d1198bd90e00b12a7679
SHA181f769ee4034dac8b8e204066bf84f732a9a5cea
SHA256b766d4eabe91ff1e8c4b5dc214c4d8d86239dca7926f1167ac99de9c20bfe223
SHA51260b77f2cc243fc69486ff5973ca5babaca55102a5834c1b8e172e3912ecce6521f000507a00be443f2f6822aec1fc25a90acceaed4dac6556cbc3cbeeae118b3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.vsdmMD5
8800bfe35f84096582ca2e55f94be01e
SHA192960e403ae6ce188b7084f2f562451464abf1db
SHA256542256fd9a89cd7c6e6535ff995650c64020d2ec2c8fafaa191dfedb4cb9118d
SHA51218398d90db081e59abb2bafa56676f6340b9c27e97bf327a52de7a87a701b9fe06e75fdc66311c0b9e53a938a2541d090fc9636f9aeb97f909047a4fe912be98
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\XMD5
22915acfff54d1198bd90e00b12a7679
SHA181f769ee4034dac8b8e204066bf84f732a9a5cea
SHA256b766d4eabe91ff1e8c4b5dc214c4d8d86239dca7926f1167ac99de9c20bfe223
SHA51260b77f2cc243fc69486ff5973ca5babaca55102a5834c1b8e172e3912ecce6521f000507a00be443f2f6822aec1fc25a90acceaed4dac6556cbc3cbeeae118b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1092-59-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1092-60-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1452-71-0x0000000000000000-mapping.dmp
-
memory/1544-76-0x0000000000000000-mapping.dmp
-
memory/1544-80-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1704-69-0x0000000000000000-mapping.dmp
-
memory/1804-62-0x0000000000000000-mapping.dmp
-
memory/1808-64-0x0000000000000000-mapping.dmp
-
memory/1840-65-0x0000000000000000-mapping.dmp
-
memory/1928-61-0x0000000000000000-mapping.dmp