Overview

overview

10

Static

static

PELE_x_MAR...ml.exe

windows7_x64

10

PELE_x_MAR...ml.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-07-2021 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PELE_x_MARADONA.html.exe

  • Size

    273KB

  • MD5

    11553281d39824238321a82f8c1632fd

  • SHA1

    8402a2a116ff5eae08f8c2045ccde121185a27c3

  • SHA256

    c079884cdfd713a8bee346b8300a27db5efc11b35ffb6f7640e36c411f7de7a9

  • SHA512

    bc2964a48979339d512fb9b65c588e811ded7fcdd5b93620746bdf654a92a2f9eebfb46a00a6389190a54682789ebd3c15b0865b97428909b4ad413ca69fcc0f

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PELE_x_MARADONA.html.exe
    "C:\Users\Admin\AppData\Local\Temp\PELE_x_MARADONA.html.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\programdata\ini.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1364
      • \??\c:\ProgramData\PELExMARADONA.html.exe
        PELExMARADONA.html.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\ProgramData\PELExMARADONA.html.exe
          "C:\ProgramData\PELExMARADONA.html.exe" Administrator
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1740
          • C:\Windows\SysWOW64\cmd.exe
            cmd /k regsvr32 gbpsvs.dll /s
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 gbpsvs.dll /s
              6⤵
                PID:1428
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\ProgramData\PELExMARADONA.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:844

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\PELExMARADONA.html
      MD5

      59339fd8ecec16a9960e5ca92b4dd05e

      SHA1

      6fc6d918d5fae68babac22cd1897b72511da3f7e

      SHA256

      af36dbf0550f41ea757497bee930a6f564a684d80ac8e26d895dc32053c219c0

      SHA512

      643cdf1b53b85457e55bf93c6de49e290360823ea04639cb85cb08c5d8e2d6bbd642e864fb3c35836ae64820a8183747813a5068209540ded8250cd12c9aeca1

      Download Submit

    • C:\ProgramData\PELExMARADONA.html.exe
      MD5

      5f001dc2e8c40f77b56e62cd60913ced

      SHA1

      f8e3a635da66f2a2c12bcf49155d2c84e96cddce

      SHA256

      3a01ad6465685c4fbab4db8176dc7ae51d27be89736cc329f51ff8b08c51ef95

      SHA512

      74b635670986dae11605d2148a84c01cafa38a49d01145166b4c98516cca561b6a91e85b35f9ce1e0bc7216b1a11f96358c06be71c8b8faf23b344cb477ce14c

      Download Submit

    • C:\ProgramData\PELExMARADONA.html.exe
      MD5

      5f001dc2e8c40f77b56e62cd60913ced

      SHA1

      f8e3a635da66f2a2c12bcf49155d2c84e96cddce

      SHA256

      3a01ad6465685c4fbab4db8176dc7ae51d27be89736cc329f51ff8b08c51ef95

      SHA512

      74b635670986dae11605d2148a84c01cafa38a49d01145166b4c98516cca561b6a91e85b35f9ce1e0bc7216b1a11f96358c06be71c8b8faf23b344cb477ce14c

      Download Submit

    • C:\programdata\ini.bat
      MD5

      ef7437ef0ce7fd4129a68f4663d3c194

      SHA1

      f97b0255068f9e4b58d4770123115c6992506340

      SHA256

      431498ce640e6658f285eb9548a00717886ed663635ff33110144cef1704b6d3

      SHA512

      df8954fe0fe34e1ee64d4f27e26658ac02408a0056033915e4da8613f16a9da1606e41cf4a32149bcf5e35b9ffffe91139d16592631ab64f94f9a697ceef7e66

      Download Submit

    • \??\c:\ProgramData\PELExMARADONA.html.exe
      MD5

      5f001dc2e8c40f77b56e62cd60913ced

      SHA1

      f8e3a635da66f2a2c12bcf49155d2c84e96cddce

      SHA256

      3a01ad6465685c4fbab4db8176dc7ae51d27be89736cc329f51ff8b08c51ef95

      SHA512

      74b635670986dae11605d2148a84c01cafa38a49d01145166b4c98516cca561b6a91e85b35f9ce1e0bc7216b1a11f96358c06be71c8b8faf23b344cb477ce14c

      Download Submit

    • \??\c:\ProgramData\gbpsvs.dll
      MD5

      fa172c77abd7b03605d83cd1ae373657

      SHA1

      9785fb3254695c25c621eb4cd81cf7a2a3c8258f

      SHA256

      b0c7e6712ecbf97a1e3a14f19e3aed5dbd6553f21a2852565bfc5518925713db

      SHA512

      0e717caa53962b18936301f4bad2b5f818d74628b09399ada500571ff9a7134017a1061dbe074c14aa2fce728ee56a2d76422665f98c8a25fe7b70659cc75e45

      Download Submit

    • \ProgramData\PELExMARADONA.html.exe
      MD5

      5f001dc2e8c40f77b56e62cd60913ced

      SHA1

      f8e3a635da66f2a2c12bcf49155d2c84e96cddce

      SHA256

      3a01ad6465685c4fbab4db8176dc7ae51d27be89736cc329f51ff8b08c51ef95

      SHA512

      74b635670986dae11605d2148a84c01cafa38a49d01145166b4c98516cca561b6a91e85b35f9ce1e0bc7216b1a11f96358c06be71c8b8faf23b344cb477ce14c

      Download Submit

    • \ProgramData\PELExMARADONA.html.exe
      MD5

      5f001dc2e8c40f77b56e62cd60913ced

      SHA1

      f8e3a635da66f2a2c12bcf49155d2c84e96cddce

      SHA256

      3a01ad6465685c4fbab4db8176dc7ae51d27be89736cc329f51ff8b08c51ef95

      SHA512

      74b635670986dae11605d2148a84c01cafa38a49d01145166b4c98516cca561b6a91e85b35f9ce1e0bc7216b1a11f96358c06be71c8b8faf23b344cb477ce14c

      Download Submit

    • memory/320-59-0x0000000075051000-0x0000000075053000-memory.dmp

      Filesize

      8KB

      Download

    • memory/556-69-0x0000000000000000-mapping.dmp

      Download

    • memory/844-76-0x0000000000000000-mapping.dmp

      Download

    • memory/1236-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1364-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1428-80-0x0000000000000000-mapping.dmp

      Download

    • memory/1648-74-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1740-75-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1740-71-0x0000000000000000-mapping.dmp

      Download