82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b

Analysis

max time kernel
136s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b719cba1a8c6e43a6f106a57b04962e4.exe
Size

1.4MB
MD5

b719cba1a8c6e43a6f106a57b04962e4
SHA1

80363428f99500ca7da13ad4ff5b07a97627507f
SHA256

82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b
SHA512

0411ed00195a9bde7710718939af58a8a090d5db924e4317b499ee89dc6f1e83908045e787e36237887df738351de310b1c61da99b8df702f0033b0255935264

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Bordatino.exe.comBordatino.exe.comipconfig.exe

pid process

1776 Bordatino.exe.com
1720 Bordatino.exe.com
1172 ipconfig.exe
Drops startup file 1 IoCs

Processes:

Bordatino.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sKzQItwjjc.url Bordatino.exe.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeBordatino.exe.comBordatino.exe.com

pid process

1988 cmd.exe
1776 Bordatino.exe.com
1720 Bordatino.exe.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bordatino.exe.com

description pid process target process

PID 1720 set thread context of 1172 1720 Bordatino.exe.com ipconfig.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1172 ipconfig.exe

pid	process
1776	Bordatino.exe.com
1720	Bordatino.exe.com
1172	ipconfig.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sKzQItwjjc.url	Bordatino.exe.com

pid	process
1988	cmd.exe
1776	Bordatino.exe.com
1720	Bordatino.exe.com

description	pid	process	target process
PID 1720 set thread context of 1172	1720	Bordatino.exe.com	ipconfig.exe

pid	process
1172	ipconfig.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ipconfig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1756 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Bordatino.exe.com

pid process

1720 Bordatino.exe.com

pid	process
1756	PING.EXE

pid	process
1720	Bordatino.exe.com

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b719cba1a8c6e43a6f106a57b04962e4.execmd.execmd.exeBordatino.exe.comBordatino.exe.com

description	pid	process	target process
PID 1904 wrote to memory of 1204	1904	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 1904 wrote to memory of 1204	1904	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 1904 wrote to memory of 1204	1904	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 1904 wrote to memory of 1204	1904	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1988	1204	cmd.exe	cmd.exe
PID 1988 wrote to memory of 1900	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 1900	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 1900	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 1900	1988	cmd.exe	findstr.exe
PID 1988 wrote to memory of 1776	1988	cmd.exe	Bordatino.exe.com
PID 1988 wrote to memory of 1776	1988	cmd.exe	Bordatino.exe.com
PID 1988 wrote to memory of 1776	1988	cmd.exe	Bordatino.exe.com
PID 1988 wrote to memory of 1776	1988	cmd.exe	Bordatino.exe.com
PID 1988 wrote to memory of 1756	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1756	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1756	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1756	1988	cmd.exe	PING.EXE
PID 1776 wrote to memory of 1720	1776	Bordatino.exe.com	Bordatino.exe.com
PID 1776 wrote to memory of 1720	1776	Bordatino.exe.com	Bordatino.exe.com
PID 1776 wrote to memory of 1720	1776	Bordatino.exe.com	Bordatino.exe.com
PID 1776 wrote to memory of 1720	1776	Bordatino.exe.com	Bordatino.exe.com
PID 1720 wrote to memory of 1172	1720	Bordatino.exe.com	ipconfig.exe
PID 1720 wrote to memory of 1172	1720	Bordatino.exe.com	ipconfig.exe
PID 1720 wrote to memory of 1172	1720	Bordatino.exe.com	ipconfig.exe
PID 1720 wrote to memory of 1172	1720	Bordatino.exe.com	ipconfig.exe
PID 1720 wrote to memory of 1172	1720	Bordatino.exe.com	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\b719cba1a8c6e43a6f106a57b04962e4.exe
"C:\Users\Admin\AppData\Local\Temp\b719cba1a8c6e43a6f106a57b04962e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Pura.vssm
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mDHHnooFzwuKWdLxXAvOmqexElRneQaCvwawdMkcQdyHAkGxAHZauWenBjehsKCCIDhUYKrkfwXoVxUaEvXxRZvAZTAtJXtuNCYXYLvQENryYTDusKJU$" Cancellata.vssm
4⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
Bordatino.exe.com s
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com s
5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
6⤵
- Executes dropped EXE
- Gathers network information
- Modifies system certificate store
PID:1172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancellata.vssm
MD5
109e6e188cb1ad77da3429a6009249aa

SHA1
9ed81e2b0bd55f7e438f006239f5506fb4a416c1

SHA256
6f64e592ef82dc57d63af01e83674a5a24c2cc92ab18cb8f9890540dfe84fdb2

SHA512
c7f6fd5e0289ba79937a31c972cefe636c45827808a39fdbf81e4323842951d303c739aaea405f784141473ff5c43f43a7d69f8aacf60ccfc8f3b2e6c4adda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.vssm
MD5
cec8939061135d686ced9eba7873d51a

SHA1
be692ac4a46f38394b75d3874dec18c4e542755f

SHA256
5bdfc21e26db8ad198c143da236894580055144b255c00227268dafc97afc37c

SHA512
f2c0f1fa78dc0448c2f234bff0154f051de2281e2180a2c65081a0b05f0d032d2b08f28fb8865ba93021d84d2fa39cd581ba1d9d5e96f8abf54ec3242dcbb935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pura.vssm
MD5
6c9fe73eff8e55c855ce458c652fb937

SHA1
37337f6200e7bea84a9aed760efc3b9ac3845153

SHA256
3d30821ae38a2bf3cfcb096818059906e5fc6a81fbd7367715074c5740b92807

SHA512
47e9432fceb61f98372166af4f621ad0679e98331e55557fd08c056894e0205c9b760d96120440108309e8abfef5128202c60ef64b7be021d6217cb4d4a27266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ripreso.vssm
MD5
2fc0e0bd6c824d35d37d5e1ed6fa1bc8

SHA1
0f24df48fcac1ac480fcc956e46f351b9a1d5e7e

SHA256
8cbdc958498f239f156d4f42b9707e0db57ed98802485a0bb29b8e8a5c93e02c

SHA512
9e8ca655e107a1f314425d2c0eeec1967c1220f8d1fb9a002f140cba9e32707caad08b658d952d732326dd636ce83bd8215603e3413230488c0e98ec622a27be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
MD5
cabb20e171770ff64614a54c1f31c033

SHA1
ea18043fedaf888f04c07f71f2006f3f479c0b41

SHA256
c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6

SHA512
a6a6beff693f2e2c71c0d8e12f6964e789aa4b370c1e0191b2b0ff038801fdb0038a54c0a8f2dbc0d399d2c016f89701c6b6275b3a2b6fa74fb2a5ea817c2d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\s
MD5
2fc0e0bd6c824d35d37d5e1ed6fa1bc8

SHA1
0f24df48fcac1ac480fcc956e46f351b9a1d5e7e

SHA256
8cbdc958498f239f156d4f42b9707e0db57ed98802485a0bb29b8e8a5c93e02c

SHA512
9e8ca655e107a1f314425d2c0eeec1967c1220f8d1fb9a002f140cba9e32707caad08b658d952d732326dd636ce83bd8215603e3413230488c0e98ec622a27be

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
MD5
cabb20e171770ff64614a54c1f31c033

SHA1
ea18043fedaf888f04c07f71f2006f3f479c0b41

SHA256
c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6

SHA512
a6a6beff693f2e2c71c0d8e12f6964e789aa4b370c1e0191b2b0ff038801fdb0038a54c0a8f2dbc0d399d2c016f89701c6b6275b3a2b6fa74fb2a5ea817c2d3b

Download Submit
memory/1172-85-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1172-81-0x000000000044003F-mapping.dmp

Download
memory/1204-61-0x0000000000000000-mapping.dmp

Download
memory/1720-79-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1720-84-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/1720-75-0x0000000000000000-mapping.dmp

Download
memory/1756-70-0x0000000000000000-mapping.dmp

Download
memory/1776-68-0x0000000000000000-mapping.dmp

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download
memory/1904-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1988-63-0x0000000000000000-mapping.dmp

Download