c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

Resubmissions

02-09-2021 19:12

210902-xwla1aeefq 10

02-09-2021 19:09

210902-xtsbjabea9 8

Analysis

max time kernel
601s
max time network
605s
platform
windows10_x64
resource
win10v20210408
submitted
02-09-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

discovery suricata

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exeAhR5fTcQ7d3AIKYU5U.exelxju7i.exevpn.exe

pid process

3988 Anime-Fighters-Infin_734316524.tmp
2572 Expedita.exe
1880 AhR5fTcQ7d3AIKYU5U.exe
3332 lxju7i.exe
1576 vpn.exe
Loads dropped DLL 2 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpAhR5fTcQ7d3AIKYU5U.exe

pid process

3988 Anime-Fighters-Infin_734316524.tmp
1880 AhR5fTcQ7d3AIKYU5U.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmp

description	ioc	process
File created	C:\Program Files (x86)\Vel\voluptas\is-T6MNB.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-GM8RT.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-4HKF0.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-J5DEO.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-4AQEL.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-QQK8D.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-7TL9M.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-GN34K.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-U6DLB.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-9OSHD.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-8VS01.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-P0OT3.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-N9NM5.tmp	Anime-Fighters-Infin_734316524.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Expedita.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Expedita.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Expedita.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpExpedita.exe

pid	process
3988	Anime-Fighters-Infin_734316524.tmp
3988	Anime-Fighters-Infin_734316524.tmp
2572	Expedita.exe
2572	Expedita.exe
2572	Expedita.exe
2572	Expedita.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Anime-Fighters-Infin_734316524.tmpAhR5fTcQ7d3AIKYU5U.exe

pid process

3988 Anime-Fighters-Infin_734316524.tmp
1880 AhR5fTcQ7d3AIKYU5U.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Anime-Fighters-Infin_734316524.exeAnime-Fighters-Infin_734316524.tmpExpedita.exevpn.exe

description	pid	process	target process
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	Anime-Fighters-Infin_734316524.tmp
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	Expedita.exe
PID 2572 wrote to memory of 1880	2572	Expedita.exe	AhR5fTcQ7d3AIKYU5U.exe
PID 2572 wrote to memory of 1880	2572	Expedita.exe	AhR5fTcQ7d3AIKYU5U.exe
PID 2572 wrote to memory of 1880	2572	Expedita.exe	AhR5fTcQ7d3AIKYU5U.exe
PID 2572 wrote to memory of 3332	2572	Expedita.exe	lxju7i.exe
PID 2572 wrote to memory of 3332	2572	Expedita.exe	lxju7i.exe
PID 2572 wrote to memory of 3332	2572	Expedita.exe	lxju7i.exe
PID 2572 wrote to memory of 1576	2572	Expedita.exe	vpn.exe
PID 2572 wrote to memory of 1576	2572	Expedita.exe	vpn.exe
PID 2572 wrote to memory of 1576	2572	Expedita.exe	vpn.exe
PID 1576 wrote to memory of 2020	1576	vpn.exe	vpn.tmp
PID 1576 wrote to memory of 2020	1576	vpn.exe	vpn.tmp
PID 1576 wrote to memory of 2020	1576	vpn.exe	vpn.tmp

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp
"C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$2014A,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files (x86)\Vel\magnam\Expedita.exe
"C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe
C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe /quiet SILENT=1 AF=606x32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1880

C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe
C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe
C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\is-F0OBH.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F0OBH.tmp\vpn.tmp" /SL5="$302E0,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe" /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
5⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vel\magnam\Expedita.exe
MD5
8c8b1e33a4bf38b9b76bc1cbb961ed96

SHA1
cd033cf4183b91ab93ffb5ed49ce789b18009054

SHA256
7c5882ad4c9b9b10bd55c37d3390a0f19bba8c198f9db8f4497fe605d725c8a7

SHA512
4a27d39411d56281678b1b0847f2051b50d4d4730445cefe80324ae4c07f46123114b10a2c5f1857fecebf191c4116907a3bb873aba6b061fec401fcc8284e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe
MD5
6c703dae0a8631b944f93236d0b90331

SHA1
27d9dd4c4e8f9b1fd3c738e807909ff45c975063

SHA256
a49e9d949e8c128e98b61f3bb6606a34889bc03d9437f666b733f701fc4d6468

SHA512
b70b54f75234b72a4ff9c85d9cf209fe7ef39698b507aac07db7d94f89af1f287dfa9546ede0569879554a1385c901ab70b83b6570e0bd130e9b875c72d000ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe
MD5
4d4e9a82b97f7ab77b003e7ea83f5392

SHA1
33cbed5cb49a8accb5300c8841682b93c5703ed2

SHA256
a23cf8bec11a427ca1aa533eab8b251e0df800a0c88e685ea8c58455ce0c891c

SHA512
d010d990f5245311293cc1f1cfcc068869450bdbb1fef0865ab68d4aa04f641e896a4f3e727cf8fec6194b3760e02d81a9b03b0f162934642c40e4448dd0d3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe
MD5
ba0d861ab2ce40a89cab369016f1b852

SHA1
12e3a03ba04f22395e07680a63eea0427a4ad90a

SHA256
5cec97f7759557b1a52dad26f650ed756508b5f4ccce6169941dd558bfa00584

SHA512
1445bc82928bebceef43aef66deae2484c4680b30937ff44b12ba330db179ecb361854d8da953f07f6fb5efd18fc1b3f25cfec53b3d85dc7bc4ac304efed92a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe
MD5
ba0d861ab2ce40a89cab369016f1b852

SHA1
12e3a03ba04f22395e07680a63eea0427a4ad90a

SHA256
5cec97f7759557b1a52dad26f650ed756508b5f4ccce6169941dd558bfa00584

SHA512
1445bc82928bebceef43aef66deae2484c4680b30937ff44b12ba330db179ecb361854d8da953f07f6fb5efd18fc1b3f25cfec53b3d85dc7bc4ac304efed92a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp
MD5
3e82d951014d6fa1f34b7ea9a6bab125

SHA1
8135d385bcb6cad13dc3f4524e6a3b4584939b22

SHA256
ec822c16b67f304645977e8b20a81b06eb9d577e890aeec33155d3b19fe61854

SHA512
4a8c24ddb0841c5e75bd6b9c1f3015c2be637827db914f4279c3445e9c82ab1eb7790b0611cafdaff99b5115ecd255d913b03e5d11c2a7d094e04a24bb1681bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F0OBH.tmp\vpn.tmp
MD5
351d49a2fd0b4078708cfa04e31da0ae

SHA1
5536d164ef7b01fa5081d5b7da65d315d5ad236b

SHA256
ff458f6208493d9b695fe7ba1bbc451ed5efc3ae2a8dea0bf64b39b15c646950

SHA512
9bfff9b55a03efa7ec2c4ac1590305033396128e1be0c585b63beefefb7ee5bf94131b894272949ff74d40678d2bf1767565d9f6005f629a3c314b8af847035b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe
MD5
510bdc47bcc20fb075a12a62b61fe1e8

SHA1
cc74647eba86347185b7c776cd275a75183bd6a4

SHA256
39d84e0c1fa355e2ec5f5d6080b189ca8682c831ab1ae25ebb30b24298295de6

SHA512
a947609d7953f5a15334b7666da65aca327ff1124bfd6b7d2e6b715e7595fe0c6614782861c3e9d945a070b885ac53b48cffdcf12bcb630caa0036ebaa8225d9

Download Submit
\Users\Admin\AppData\Local\Temp\is-J56FC.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll
MD5
15aa573cee52cc4c11527dee98bea20c

SHA1
32fe5da57bbe66425c3d3c89a28e7125fb0097b3

SHA256
6889ea3a9d69f176351a389f92537d521abc851d1b71b47ab21c3b821cff8622

SHA512
4b357dc6eb8bdc152b63bc0a5f5bce6196cf65e02a71d32ee6568d477b359c2a4ab04892249cfdb8712eb5c8ab1a78e675db47f8b3150cf2c107dc61032cd085

Download Submit
memory/416-118-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1576-132-0x0000000000000000-mapping.dmp

Download
memory/1880-125-0x0000000000000000-mapping.dmp

Download
memory/2020-136-0x0000000000000000-mapping.dmp

Download
memory/2572-123-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/2572-124-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2572-121-0x0000000000000000-mapping.dmp

Download
memory/3332-127-0x0000000000000000-mapping.dmp

Download
memory/3988-115-0x0000000000000000-mapping.dmp

Download
memory/3988-120-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download

pid	process
3988	Anime-Fighters-Infin_734316524.tmp
1880	AhR5fTcQ7d3AIKYU5U.exe