3a7ce9c2729308e680c439e4032c63ff32d83f6d66ab2528d2fadb8ca7f08274

Analysis

max time kernel
360s
max time network
361s
platform
windows7_x64
resource
win7v20210410
submitted
30-06-2021 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe
Size

1.8MB
MD5

7678217358637f0e5f06128dfdc7b3e4
SHA1

0867c058cdcf861deacde7ea2fcd2b589729a3b6
SHA256

b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093
SHA512

9880f2635237f22ee1da10bd766ebc9df28e73a5ff63191c5c5cd48f6f4ce13be96de0ce03cfdfe0307746258e739102a7aaf1a40d3719099832c5b5fdb770e6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Neghi.exe.comNeghi.exe.com

pid	Process
1356	Neghi.exe.com
412	Neghi.exe.com

Loads dropped DLL 2 IoCs

Processes:

cmd.exeNeghi.exe.com

pid	Process
1288	cmd.exe
1356	Neghi.exe.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Neghi.exe.com

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Neghi.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Neghi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1632	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.execmd.execmd.exeNeghi.exe.com

description	pid	Process	procid_target
PID 1684 wrote to memory of 2032	1684	b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe	29
PID 1684 wrote to memory of 2032	1684	b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe	29
PID 1684 wrote to memory of 2032	1684	b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe	29
PID 1684 wrote to memory of 2032	1684	b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe	29
PID 2032 wrote to memory of 1288	2032	cmd.exe	31
PID 2032 wrote to memory of 1288	2032	cmd.exe	31
PID 2032 wrote to memory of 1288	2032	cmd.exe	31
PID 2032 wrote to memory of 1288	2032	cmd.exe	31
PID 1288 wrote to memory of 1228	1288	cmd.exe	32
PID 1288 wrote to memory of 1228	1288	cmd.exe	32
PID 1288 wrote to memory of 1228	1288	cmd.exe	32
PID 1288 wrote to memory of 1228	1288	cmd.exe	32
PID 1288 wrote to memory of 1356	1288	cmd.exe	33
PID 1288 wrote to memory of 1356	1288	cmd.exe	33
PID 1288 wrote to memory of 1356	1288	cmd.exe	33
PID 1288 wrote to memory of 1356	1288	cmd.exe	33
PID 1288 wrote to memory of 1632	1288	cmd.exe	34
PID 1288 wrote to memory of 1632	1288	cmd.exe	34
PID 1288 wrote to memory of 1632	1288	cmd.exe	34
PID 1288 wrote to memory of 1632	1288	cmd.exe	34
PID 1356 wrote to memory of 412	1356	Neghi.exe.com	35
PID 1356 wrote to memory of 412	1356	Neghi.exe.com	35
PID 1356 wrote to memory of 412	1356	Neghi.exe.com	35
PID 1356 wrote to memory of 412	1356	Neghi.exe.com	35

C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe
"C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Ero.avi
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^nwOhgkZOkTAuHApAkWLoGKlGITnVtOaFGtNDNpuScYUkDxTFlwfAaAQOQoFxMrJvBUmDMFNePTNIPZehqSKrmRhuhZNFEMysfbKJUdSFgjLnMoY$" Bellissima.avi
      4⤵
      PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
      Neghi.exe.com f
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com f
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:412
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affettuosa.avi

MD5
959dc63c0d554533c3f7cd9ff0fe7cab

SHA1
33039814422bf243a8d977e3a54dc045c3fca827

SHA256
7d1749ce94676c378032f4022040432f530a1f394c9184298c314e8b8e4c3a3e

SHA512
1959b4633927149dc77924537a95d7b5e5ce39e6307d0a5897b73fc8d90c48f80ce2b6691bfd5a6993b2266d23ee2d22e67eeaf46fd05aefbf43ef7751325114

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bellissima.avi

MD5
827b69d060fa94961c8248f6582c4453

SHA1
176d303d5562c7c7fe52c43139ef582796ad7b31

SHA256
770a9db5a1c79806b604d664c5a1c4131c2aa916cdb00fd41748ebc255cdbb00

SHA512
35c6b24d9f738ac6a72a35980e482ad22f10d516c4278589c308cf11b30068450491f3f1cfa381a9158b203348c00f7257f9751931c3932441eadb6a8e07bb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bruciavano.avi

MD5
4d149178e76a876ae3c4a2a17136e5d5

SHA1
586d90b45be60a58f038c84dd4c0903c0fdc9de1

SHA256
f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a

SHA512
72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.avi

MD5
2dae040957f8c64e88fe86f0a4c2f808

SHA1
cd2761514cd5476b91d2ad71afc6e7262e4ff093

SHA256
b13352462e71902e29f75522288fee5d06bb3ba4f118a9c2d0b99e973cbc0f47

SHA512
710b32deffb453a83ef8d45657c9713534947e2c7793c140392fe35f236dc6ac4c4869f4bef9d09bd6e61a09d8e8666b8dba9b5ea1bac8426f94e6d0b6a18e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\f

MD5
4d149178e76a876ae3c4a2a17136e5d5

SHA1
586d90b45be60a58f038c84dd4c0903c0fdc9de1

SHA256
f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a

SHA512
72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/412-79-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/412-75-0x0000000000000000-mapping.dmp

Download
memory/1228-64-0x0000000000000000-mapping.dmp

Download
memory/1288-63-0x0000000000000000-mapping.dmp

Download
memory/1356-68-0x0000000000000000-mapping.dmp

Download
memory/1632-70-0x0000000000000000-mapping.dmp

Download
memory/1684-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download