Overview
overview
10Static
static
1006ffb7bbd7...da3906
linux_amd64
06ffb7bbd7...da3906
linux_mipsel
06ffb7bbd7...da3906
linux_mips
154080c584...95.msi
windows7_x64
8154080c584...95.msi
windows10_x64
81650ced30c...c5.exe
windows7_x64
1650ced30c...c5.exe
windows10_x64
1a70a7de8a...4a.exe
windows7_x64
81a70a7de8a...4a.exe
windows10_x64
8ISSUES INV....1.exe
windows7_x64
10ISSUES INV....1.exe
windows10_x64
10350fbd43ce...ed.exe
windows7_x64
350fbd43ce...ed.exe
windows10_x64
44faf11719...12.exe
windows7_x64
144faf11719...12.exe
windows10_x64
14853dc09bb...5f6.js
windows7_x64
14853dc09bb...5f6.js
windows10_x64
14ba637df90...3f4a9e
linux_amd64
4ba637df90...3f4a9e
linux_mipsel
4ba637df90...3f4a9e
linux_mips
4f8c1840d6...92df06
linux_amd64
4f8c1840d6...92df06
linux_mipsel
4f8c1840d6...92df06
linux_mips
623534bf15...72.vbs
windows7_x64
10623534bf15...72.vbs
windows10_x64
1065df637db2...00083b
linux_amd64
65df637db2...00083b
linux_mipsel
65df637db2...00083b
linux_mips
717ad3ee2b...47.dll
windows7_x64
10717ad3ee2b...47.dll
windows10_x64
1071ba20bdd8...99.pps
windows7_x64
1071ba20bdd8...99.pps
windows10_x64
10Analysis
-
max time kernel
62s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-07-2021 13:07
Behavioral task
behavioral1
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
ubuntu-amd64
Behavioral task
behavioral2
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
debian9-mipsel
Behavioral task
behavioral3
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
debian9-mipsbe
Behavioral task
behavioral4
Sample
154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795.msi
Resource
win7v20210408
Behavioral task
behavioral5
Sample
154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795.msi
Resource
win10v20210410
Behavioral task
behavioral6
Sample
1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5.exe
Resource
win7v20210410
Behavioral task
behavioral7
Sample
1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
Resource
win7v20210410
Behavioral task
behavioral9
Sample
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
Resource
win10v20210408
Behavioral task
behavioral10
Sample
ISSUES INVOICE E-4136 REV.1.exe
Resource
win7v20210410
Behavioral task
behavioral11
Sample
ISSUES INVOICE E-4136 REV.1.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed.exe
Resource
win7v20210408
Behavioral task
behavioral13
Sample
350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed.exe
Resource
win10v20210410
Behavioral task
behavioral14
Sample
44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112.exe
Resource
win7v20210408
Behavioral task
behavioral15
Sample
44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112.exe
Resource
win10v20210408
Behavioral task
behavioral16
Sample
4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6.js
Resource
win7v20210410
Behavioral task
behavioral17
Sample
4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6.js
Resource
win10v20210408
Behavioral task
behavioral18
Sample
4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
Resource
ubuntu-amd64
Behavioral task
behavioral19
Sample
4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
Resource
debian9-mipsel
Behavioral task
behavioral20
Sample
4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
Resource
debian9-mipsbe
Behavioral task
behavioral21
Sample
4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
Resource
ubuntu-amd64
Behavioral task
behavioral22
Sample
4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
Resource
debian9-mipsel
Behavioral task
behavioral23
Sample
4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
Resource
debian9-mipsbe
Behavioral task
behavioral24
Sample
623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Resource
win7v20210410
Behavioral task
behavioral25
Sample
623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Resource
win10v20210410
Behavioral task
behavioral26
Sample
65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
Resource
ubuntu-amd64
Behavioral task
behavioral27
Sample
65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
Resource
debian9-mipsel
Behavioral task
behavioral28
Sample
65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
Resource
debian9-mipsbe
Behavioral task
behavioral29
Sample
717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47.dll
Resource
win7v20210410
Behavioral task
behavioral30
Sample
717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47.dll
Resource
win10v20210410
Behavioral task
behavioral31
Sample
71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199.pps
Resource
win7v20210408
Behavioral task
behavioral32
Sample
71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199.pps
Resource
win10v20210410
General
-
Target
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
-
Size
1.8MB
-
MD5
f268f8707a3c2a9a2ed4663e60c9cdc0
-
SHA1
c7ccc88111ad400b1ea72000c3179b1672c440b9
-
SHA256
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
-
SHA512
2947657f8bf3f9258eb221e348310035c1ee059cc4693864b2e97a531b2a5df08d7c151bf9e5c7b9bb55be7b6309a349323fe548984985e59cb8bca20c0b2b97
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Perse.exe.comPerse.exe.compid process 1704 Perse.exe.com 1036 Perse.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exePerse.exe.compid process 1532 cmd.exe 1704 Perse.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Perse.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Perse.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Perse.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.execmd.execmd.exePerse.exe.comdescription pid process target process PID 1088 wrote to memory of 1280 1088 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 1088 wrote to memory of 1280 1088 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 1088 wrote to memory of 1280 1088 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 1088 wrote to memory of 1280 1088 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 1280 wrote to memory of 1532 1280 cmd.exe cmd.exe PID 1280 wrote to memory of 1532 1280 cmd.exe cmd.exe PID 1280 wrote to memory of 1532 1280 cmd.exe cmd.exe PID 1280 wrote to memory of 1532 1280 cmd.exe cmd.exe PID 1532 wrote to memory of 848 1532 cmd.exe findstr.exe PID 1532 wrote to memory of 848 1532 cmd.exe findstr.exe PID 1532 wrote to memory of 848 1532 cmd.exe findstr.exe PID 1532 wrote to memory of 848 1532 cmd.exe findstr.exe PID 1532 wrote to memory of 1704 1532 cmd.exe Perse.exe.com PID 1532 wrote to memory of 1704 1532 cmd.exe Perse.exe.com PID 1532 wrote to memory of 1704 1532 cmd.exe Perse.exe.com PID 1532 wrote to memory of 1704 1532 cmd.exe Perse.exe.com PID 1532 wrote to memory of 592 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 592 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 592 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 592 1532 cmd.exe PING.EXE PID 1704 wrote to memory of 1036 1704 Perse.exe.com Perse.exe.com PID 1704 wrote to memory of 1036 1704 Perse.exe.com Perse.exe.com PID 1704 wrote to memory of 1036 1704 Perse.exe.com Perse.exe.com PID 1704 wrote to memory of 1036 1704 Perse.exe.com Perse.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Violenza.xlm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CqkmdjjEEOlhgKWkVPYcnfwRywfbkgpkcVeqBydFDmsMHRGnJZYuMEIjZxzfXOafFYSaIWJPmzSYYfphxQNkdrmQj$" Folle.xlm4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comPerse.exe.com Z4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com Z5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disconosci.xlmMD5
47a97b0be63ac1f3bacea1e6f1252414
SHA1780ed9c620ab57fdd4128c415c8ce5a871bb7e91
SHA256d1ca88afce9adccd5a856c6ebe3f939633e43e69fef6554d8009ab5e58ef6172
SHA5126f3945988dc05e0777f0ccda2c97fda5d1b6ec964b4d355258434dd488536a8f49eac445c63643c9c5a612557f2a6ae6c4d74d5c73981ef9d48574250b3a314c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Folle.xlmMD5
8eed5811e1194fc2cca2a5c05ec04875
SHA142f36d12872242b859a61efb432d5907e16c275f
SHA2562498de94ef57fc7b9e65a3c5768cc96883d3ed263b69c1c1ab609956fa74418f
SHA512826cb4ec2215e4241617e13e584ef288b1f6252e6bc956567db83136f2aecdf1bb1aad71391a9476461e257a5ed9ad74e4437cf75f561239bee3462ef6765af5
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mondo.xlmMD5
c23f6997c92075f624a8ff943a52a4d1
SHA1d6217f1e58bce99f5456b722b6d9ecc53f2f204c
SHA2560492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9
SHA512ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Violenza.xlmMD5
9efd882674409221ea08ee263d3bbefb
SHA1ab08b0c74dd9e12dff755392248d4b8163d51958
SHA256039d5b6b3f5b6d2f8cf11cf47e9597a881d12935d7a5bb5c806a3dfd390f0091
SHA5128c14b5ab47aa1e64827fe0d1d43b1b5c16c705067c5333dcf21637a00f10b4ea72c5390361955ade298656f5bb3169957b725eaded3b13c8be9a463e1deac37c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ZMD5
c23f6997c92075f624a8ff943a52a4d1
SHA1d6217f1e58bce99f5456b722b6d9ecc53f2f204c
SHA2560492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9
SHA512ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/592-69-0x0000000000000000-mapping.dmp
-
memory/848-63-0x0000000000000000-mapping.dmp
-
memory/1036-74-0x0000000000000000-mapping.dmp
-
memory/1036-78-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1088-59-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1280-60-0x0000000000000000-mapping.dmp
-
memory/1532-62-0x0000000000000000-mapping.dmp
-
memory/1704-67-0x0000000000000000-mapping.dmp