90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63

Analysis

max time kernel
62s
max time network
57s
platform
windows7_x64
resource
win7v20210410
submitted
14-06-2021 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5c5b9d46d3fd53094950eb98b9e47b0.exe
Size

1.7MB
MD5

a5c5b9d46d3fd53094950eb98b9e47b0
SHA1

f81f9a34ceeada2c74075ec882c6452a61961d85
SHA256

90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
SHA512

f693829940df867157a68f1a49357a3413e04066e01beabb6a3bdbe041aff914a8c1889906ed6dad169e9073b07698ccd82e8e073e63245dc5d1fbcaae7a85ed

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Sta.exe.comSta.exe.com

pid process

1704 Sta.exe.com
1544 Sta.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeSta.exe.com

pid process

1808 cmd.exe
1704 Sta.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1704	Sta.exe.com
1544	Sta.exe.com

pid	process
1808	cmd.exe
1704	Sta.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sta.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sta.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sta.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1452 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a5c5b9d46d3fd53094950eb98b9e47b0.exe

pid process

1092 a5c5b9d46d3fd53094950eb98b9e47b0.exe

pid	process
1452	PING.EXE

pid	process
1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a5c5b9d46d3fd53094950eb98b9e47b0.execmd.execmd.exeSta.exe.com

description	pid	process	target process
PID 1092 wrote to memory of 1928	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	dllhost.exe
PID 1092 wrote to memory of 1928	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	dllhost.exe
PID 1092 wrote to memory of 1928	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	dllhost.exe
PID 1092 wrote to memory of 1928	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	dllhost.exe
PID 1092 wrote to memory of 1804	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	cmd.exe
PID 1092 wrote to memory of 1804	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	cmd.exe
PID 1092 wrote to memory of 1804	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	cmd.exe
PID 1092 wrote to memory of 1804	1092	a5c5b9d46d3fd53094950eb98b9e47b0.exe	cmd.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 1808	1804	cmd.exe	cmd.exe
PID 1808 wrote to memory of 1840	1808	cmd.exe	findstr.exe
PID 1808 wrote to memory of 1840	1808	cmd.exe	findstr.exe
PID 1808 wrote to memory of 1840	1808	cmd.exe	findstr.exe
PID 1808 wrote to memory of 1840	1808	cmd.exe	findstr.exe
PID 1808 wrote to memory of 1704	1808	cmd.exe	Sta.exe.com
PID 1808 wrote to memory of 1704	1808	cmd.exe	Sta.exe.com
PID 1808 wrote to memory of 1704	1808	cmd.exe	Sta.exe.com
PID 1808 wrote to memory of 1704	1808	cmd.exe	Sta.exe.com
PID 1808 wrote to memory of 1452	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1452	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1452	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1452	1808	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1544	1704	Sta.exe.com	Sta.exe.com
PID 1704 wrote to memory of 1544	1704	Sta.exe.com	Sta.exe.com
PID 1704 wrote to memory of 1544	1704	Sta.exe.com	Sta.exe.com
PID 1704 wrote to memory of 1544	1704	Sta.exe.com	Sta.exe.com

C:\Users\Admin\AppData\Local\Temp\a5c5b9d46d3fd53094950eb98b9e47b0.exe
"C:\Users\Admin\AppData\Local\Temp\a5c5b9d46d3fd53094950eb98b9e47b0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Deserto.vsdm
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^lfGCPdckFjiRnqNvgIkrJzAbiqBgiajvnfnQJGsHmLuyMeuJOgYJIAYROocOOuthZKzpBWNHsEDXjcLtUSATzDOYdHeAkCSzHSywJWiRBdatWqEzbdUWGkTvWxSUUj$" Volevo.vsdm
4⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
Sta.exe.com X
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com X
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1544

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Deserto.vsdm
MD5
6017d2cc300fe0991dcbba51527f7f72

SHA1
c1abe4ed7cbbca25ecd4d48ada5774d458fe3ac0

SHA256
eb57c3a2a513a9ad78a3070faa905a2f1faa30793b7be1225cdd31775ae72ff8

SHA512
9399f0182e650ffaaff35f7e799c6a9b7a825ebcf6d1f327436f66c1d6984a5faa04b5818c3ce5c163df00b987add7ee96913602f06389f1e220d5db3dc604d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ora.vsdm
MD5
5372cb78104b837070993e088e1b7b3d

SHA1
da41fd6f286596f4af4b46e72e06920c02b59603

SHA256
a06a4beab42076cd978b44c1bcf7bd320050533a0ab796362b330bce508b00d2

SHA512
4e2c1e55f51aced12cf6110473047490d6da971282762e92c43f1bd84936cb6f5d38f1d3d774a88b09416f621e84652daa871180f2fe9a2f7bea52b138e31607

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Scolpire.vsdm
MD5
22915acfff54d1198bd90e00b12a7679

SHA1
81f769ee4034dac8b8e204066bf84f732a9a5cea

SHA256
b766d4eabe91ff1e8c4b5dc214c4d8d86239dca7926f1167ac99de9c20bfe223

SHA512
60b77f2cc243fc69486ff5973ca5babaca55102a5834c1b8e172e3912ecce6521f000507a00be443f2f6822aec1fc25a90acceaed4dac6556cbc3cbeeae118b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.vsdm
MD5
8800bfe35f84096582ca2e55f94be01e

SHA1
92960e403ae6ce188b7084f2f562451464abf1db

SHA256
542256fd9a89cd7c6e6535ff995650c64020d2ec2c8fafaa191dfedb4cb9118d

SHA512
18398d90db081e59abb2bafa56676f6340b9c27e97bf327a52de7a87a701b9fe06e75fdc66311c0b9e53a938a2541d090fc9636f9aeb97f909047a4fe912be98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\X
MD5
22915acfff54d1198bd90e00b12a7679

SHA1
81f769ee4034dac8b8e204066bf84f732a9a5cea

SHA256
b766d4eabe91ff1e8c4b5dc214c4d8d86239dca7926f1167ac99de9c20bfe223

SHA512
60b77f2cc243fc69486ff5973ca5babaca55102a5834c1b8e172e3912ecce6521f000507a00be443f2f6822aec1fc25a90acceaed4dac6556cbc3cbeeae118b3

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1092-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1092-60-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1452-71-0x0000000000000000-mapping.dmp

Download
memory/1544-76-0x0000000000000000-mapping.dmp

Download
memory/1544-80-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1704-69-0x0000000000000000-mapping.dmp

Download
memory/1804-62-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1840-65-0x0000000000000000-mapping.dmp

Download
memory/1928-61-0x0000000000000000-mapping.dmp

Download