82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b

Analysis

max time kernel
142s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
22-07-2021 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b719cba1a8c6e43a6f106a57b04962e4.exe
Size

1.4MB
MD5

b719cba1a8c6e43a6f106a57b04962e4
SHA1

80363428f99500ca7da13ad4ff5b07a97627507f
SHA256

82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b
SHA512

0411ed00195a9bde7710718939af58a8a090d5db924e4317b499ee89dc6f1e83908045e787e36237887df738351de310b1c61da99b8df702f0033b0255935264

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Bordatino.exe.comBordatino.exe.comipconfig.exe

pid process

200 Bordatino.exe.com
2660 Bordatino.exe.com
3676 ipconfig.exe
Drops startup file 1 IoCs

Processes:

Bordatino.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sKzQItwjjc.url Bordatino.exe.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bordatino.exe.com

description pid process target process

PID 2660 set thread context of 3676 2660 Bordatino.exe.com ipconfig.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3676 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

820 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Bordatino.exe.com

pid process

2660 Bordatino.exe.com

pid	process
200	Bordatino.exe.com
2660	Bordatino.exe.com
3676	ipconfig.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sKzQItwjjc.url	Bordatino.exe.com

description	pid	process	target process
PID 2660 set thread context of 3676	2660	Bordatino.exe.com	ipconfig.exe

pid	process
3676	ipconfig.exe

pid	process
820	PING.EXE

pid	process
2660	Bordatino.exe.com

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b719cba1a8c6e43a6f106a57b04962e4.execmd.execmd.exeBordatino.exe.comBordatino.exe.com

description	pid	process	target process
PID 636 wrote to memory of 2160	636	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 636 wrote to memory of 2160	636	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 636 wrote to memory of 2160	636	b719cba1a8c6e43a6f106a57b04962e4.exe	cmd.exe
PID 2160 wrote to memory of 3156	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3156	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3156	2160	cmd.exe	cmd.exe
PID 3156 wrote to memory of 2676	3156	cmd.exe	findstr.exe
PID 3156 wrote to memory of 2676	3156	cmd.exe	findstr.exe
PID 3156 wrote to memory of 2676	3156	cmd.exe	findstr.exe
PID 3156 wrote to memory of 200	3156	cmd.exe	Bordatino.exe.com
PID 3156 wrote to memory of 200	3156	cmd.exe	Bordatino.exe.com
PID 3156 wrote to memory of 200	3156	cmd.exe	Bordatino.exe.com
PID 3156 wrote to memory of 820	3156	cmd.exe	PING.EXE
PID 3156 wrote to memory of 820	3156	cmd.exe	PING.EXE
PID 3156 wrote to memory of 820	3156	cmd.exe	PING.EXE
PID 200 wrote to memory of 2660	200	Bordatino.exe.com	Bordatino.exe.com
PID 200 wrote to memory of 2660	200	Bordatino.exe.com	Bordatino.exe.com
PID 200 wrote to memory of 2660	200	Bordatino.exe.com	Bordatino.exe.com
PID 2660 wrote to memory of 3676	2660	Bordatino.exe.com	ipconfig.exe
PID 2660 wrote to memory of 3676	2660	Bordatino.exe.com	ipconfig.exe
PID 2660 wrote to memory of 3676	2660	Bordatino.exe.com	ipconfig.exe
PID 2660 wrote to memory of 3676	2660	Bordatino.exe.com	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\b719cba1a8c6e43a6f106a57b04962e4.exe
"C:\Users\Admin\AppData\Local\Temp\b719cba1a8c6e43a6f106a57b04962e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Pura.vssm
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mDHHnooFzwuKWdLxXAvOmqexElRneQaCvwawdMkcQdyHAkGxAHZauWenBjehsKCCIDhUYKrkfwXoVxUaEvXxRZvAZTAtJXtuNCYXYLvQENryYTDusKJU$" Cancellata.vssm
4⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
Bordatino.exe.com s
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com s
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
6⤵
- Executes dropped EXE
- Gathers network information
PID:3676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bordatino.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancellata.vssm
MD5
109e6e188cb1ad77da3429a6009249aa

SHA1
9ed81e2b0bd55f7e438f006239f5506fb4a416c1

SHA256
6f64e592ef82dc57d63af01e83674a5a24c2cc92ab18cb8f9890540dfe84fdb2

SHA512
c7f6fd5e0289ba79937a31c972cefe636c45827808a39fdbf81e4323842951d303c739aaea405f784141473ff5c43f43a7d69f8aacf60ccfc8f3b2e6c4adda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Era.vssm
MD5
cec8939061135d686ced9eba7873d51a

SHA1
be692ac4a46f38394b75d3874dec18c4e542755f

SHA256
5bdfc21e26db8ad198c143da236894580055144b255c00227268dafc97afc37c

SHA512
f2c0f1fa78dc0448c2f234bff0154f051de2281e2180a2c65081a0b05f0d032d2b08f28fb8865ba93021d84d2fa39cd581ba1d9d5e96f8abf54ec3242dcbb935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pura.vssm
MD5
6c9fe73eff8e55c855ce458c652fb937

SHA1
37337f6200e7bea84a9aed760efc3b9ac3845153

SHA256
3d30821ae38a2bf3cfcb096818059906e5fc6a81fbd7367715074c5740b92807

SHA512
47e9432fceb61f98372166af4f621ad0679e98331e55557fd08c056894e0205c9b760d96120440108309e8abfef5128202c60ef64b7be021d6217cb4d4a27266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ripreso.vssm
MD5
2fc0e0bd6c824d35d37d5e1ed6fa1bc8

SHA1
0f24df48fcac1ac480fcc956e46f351b9a1d5e7e

SHA256
8cbdc958498f239f156d4f42b9707e0db57ed98802485a0bb29b8e8a5c93e02c

SHA512
9e8ca655e107a1f314425d2c0eeec1967c1220f8d1fb9a002f140cba9e32707caad08b658d952d732326dd636ce83bd8215603e3413230488c0e98ec622a27be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\s
MD5
2fc0e0bd6c824d35d37d5e1ed6fa1bc8

SHA1
0f24df48fcac1ac480fcc956e46f351b9a1d5e7e

SHA256
8cbdc958498f239f156d4f42b9707e0db57ed98802485a0bb29b8e8a5c93e02c

SHA512
9e8ca655e107a1f314425d2c0eeec1967c1220f8d1fb9a002f140cba9e32707caad08b658d952d732326dd636ce83bd8215603e3413230488c0e98ec622a27be

Download Submit
memory/200-120-0x0000000000000000-mapping.dmp

Download
memory/820-122-0x0000000000000000-mapping.dmp

Download
memory/2160-114-0x0000000000000000-mapping.dmp

Download
memory/2660-124-0x0000000000000000-mapping.dmp

Download
memory/2660-131-0x0000000005080000-0x0000000005082000-memory.dmp

Filesize
8KB

Download
memory/2660-130-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2676-117-0x0000000000000000-mapping.dmp

Download
memory/3156-116-0x0000000000000000-mapping.dmp

Download
memory/3676-128-0x000000000044003F-mapping.dmp

Download
memory/3676-132-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download