a1c7157e3d321dc5966c65601335e053edb2c4a1e6cf4f1f678b974a4f2dbf26

Analysis

max time kernel
62s
max time network
39s
platform
windows7_x64
resource
win7v20210410
submitted
20-07-2021 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
Size

1.8MB
MD5

f268f8707a3c2a9a2ed4663e60c9cdc0
SHA1

c7ccc88111ad400b1ea72000c3179b1672c440b9
SHA256

1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
SHA512

2947657f8bf3f9258eb221e348310035c1ee059cc4693864b2e97a531b2a5df08d7c151bf9e5c7b9bb55be7b6309a349323fe548984985e59cb8bca20c0b2b97

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Perse.exe.comPerse.exe.com

pid process

1704 Perse.exe.com
1036 Perse.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exePerse.exe.com

pid process

1532 cmd.exe
1704 Perse.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1704	Perse.exe.com
1036	Perse.exe.com

pid	process
1532	cmd.exe
1704	Perse.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Perse.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Perse.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Perse.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

592 PING.EXE

pid	process
592	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.execmd.execmd.exePerse.exe.com

description	pid	process	target process
PID 1088 wrote to memory of 1280	1088	1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe	cmd.exe
PID 1088 wrote to memory of 1280	1088	1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe	cmd.exe
PID 1088 wrote to memory of 1280	1088	1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe	cmd.exe
PID 1088 wrote to memory of 1280	1088	1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe	cmd.exe
PID 1280 wrote to memory of 1532	1280	cmd.exe	cmd.exe
PID 1280 wrote to memory of 1532	1280	cmd.exe	cmd.exe
PID 1280 wrote to memory of 1532	1280	cmd.exe	cmd.exe
PID 1280 wrote to memory of 1532	1280	cmd.exe	cmd.exe
PID 1532 wrote to memory of 848	1532	cmd.exe	findstr.exe
PID 1532 wrote to memory of 848	1532	cmd.exe	findstr.exe
PID 1532 wrote to memory of 848	1532	cmd.exe	findstr.exe
PID 1532 wrote to memory of 848	1532	cmd.exe	findstr.exe
PID 1532 wrote to memory of 1704	1532	cmd.exe	Perse.exe.com
PID 1532 wrote to memory of 1704	1532	cmd.exe	Perse.exe.com
PID 1532 wrote to memory of 1704	1532	cmd.exe	Perse.exe.com
PID 1532 wrote to memory of 1704	1532	cmd.exe	Perse.exe.com
PID 1532 wrote to memory of 592	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 592	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 592	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 592	1532	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1036	1704	Perse.exe.com	Perse.exe.com
PID 1704 wrote to memory of 1036	1704	Perse.exe.com	Perse.exe.com
PID 1704 wrote to memory of 1036	1704	Perse.exe.com	Perse.exe.com
PID 1704 wrote to memory of 1036	1704	Perse.exe.com	Perse.exe.com

C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
"C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Violenza.xlm
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CqkmdjjEEOlhgKWkVPYcnfwRywfbkgpkcVeqBydFDmsMHRGnJZYuMEIjZxzfXOafFYSaIWJPmzSYYfphxQNkdrmQj$" Folle.xlm
4⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
Perse.exe.com Z
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com Z
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1036

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disconosci.xlm
MD5
47a97b0be63ac1f3bacea1e6f1252414

SHA1
780ed9c620ab57fdd4128c415c8ce5a871bb7e91

SHA256
d1ca88afce9adccd5a856c6ebe3f939633e43e69fef6554d8009ab5e58ef6172

SHA512
6f3945988dc05e0777f0ccda2c97fda5d1b6ec964b4d355258434dd488536a8f49eac445c63643c9c5a612557f2a6ae6c4d74d5c73981ef9d48574250b3a314c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Folle.xlm
MD5
8eed5811e1194fc2cca2a5c05ec04875

SHA1
42f36d12872242b859a61efb432d5907e16c275f

SHA256
2498de94ef57fc7b9e65a3c5768cc96883d3ed263b69c1c1ab609956fa74418f

SHA512
826cb4ec2215e4241617e13e584ef288b1f6252e6bc956567db83136f2aecdf1bb1aad71391a9476461e257a5ed9ad74e4437cf75f561239bee3462ef6765af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mondo.xlm
MD5
c23f6997c92075f624a8ff943a52a4d1

SHA1
d6217f1e58bce99f5456b722b6d9ecc53f2f204c

SHA256
0492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9

SHA512
ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Violenza.xlm
MD5
9efd882674409221ea08ee263d3bbefb

SHA1
ab08b0c74dd9e12dff755392248d4b8163d51958

SHA256
039d5b6b3f5b6d2f8cf11cf47e9597a881d12935d7a5bb5c806a3dfd390f0091

SHA512
8c14b5ab47aa1e64827fe0d1d43b1b5c16c705067c5333dcf21637a00f10b4ea72c5390361955ade298656f5bb3169957b725eaded3b13c8be9a463e1deac37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Z
MD5
c23f6997c92075f624a8ff943a52a4d1

SHA1
d6217f1e58bce99f5456b722b6d9ecc53f2f204c

SHA256
0492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9

SHA512
ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/592-69-0x0000000000000000-mapping.dmp

Download
memory/848-63-0x0000000000000000-mapping.dmp

Download
memory/1036-74-0x0000000000000000-mapping.dmp

Download
memory/1036-78-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1088-59-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1280-60-0x0000000000000000-mapping.dmp

Download
memory/1532-62-0x0000000000000000-mapping.dmp

Download
memory/1704-67-0x0000000000000000-mapping.dmp

Download