Overview
overview
10Static
static
1001/2015.5.27/01.vir
windows7_x64
301/2015.5.27/01.vir
windows10_x64
3PER-DCOMP-...ao.dll
windows7_x64
1PER-DCOMP-...ao.dll
windows10_x64
101/2015.5.27/03.exe
windows7_x64
801/2015.5.27/03.exe
windows10_x64
801/2015.5.27/04.exe
windows7_x64
101/2015.5.27/04.exe
windows10_x64
101/2015.5.27/05.exe
windows7_x64
1001/2015.5.27/05.exe
windows10_x64
1001/2015.5.27/07.exe
windows7_x64
701/2015.5.27/07.exe
windows10_x64
701/2015.5.27/09.exe
windows7_x64
1001/2015.5.27/09.exe
windows10_x64
1001/2015.5.27/10.exe
windows7_x64
1001/2015.5.27/10.exe
windows10_x64
1001/2015.5.27/12.pdf
windows7_x64
101/2015.5.27/12.pdf
windows10_x64
101/2015.5.27/13.pdf
windows7_x64
101/2015.5.27/13.pdf
windows10_x64
101/2015.5.27/14.exe
windows7_x64
801/2015.5.27/14.exe
windows10_x64
801/2015.5.27/15.dll
windows7_x64
101/2015.5.27/15.dll
windows10_x64
101/2015.5.27/16.rtf
windows7_x64
1001/2015.5.27/16.rtf
windows10_x64
101/2015.5.27/17.pdf
windows7_x64
101/2015.5.27/17.pdf
windows10_x64
101/2015.5.27/18.doc
windows7_x64
101/2015.5.27/18.doc
windows10_x64
1Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 13:34
Behavioral task
behavioral1
Sample
01/2015.5.27/01.vir
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01/2015.5.27/01.vir
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
PER-DCOMP-Intimacao.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PER-DCOMP-Intimacao.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
01/2015.5.27/03.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
01/2015.5.27/03.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
01/2015.5.27/04.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
01/2015.5.27/04.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
01/2015.5.27/05.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
01/2015.5.27/05.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
01/2015.5.27/07.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
01/2015.5.27/07.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
01/2015.5.27/09.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
01/2015.5.27/09.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
01/2015.5.27/10.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
01/2015.5.27/10.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
01/2015.5.27/12.pdf
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
01/2015.5.27/12.pdf
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
01/2015.5.27/13.pdf
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
01/2015.5.27/13.pdf
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
01/2015.5.27/14.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
01/2015.5.27/14.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
01/2015.5.27/15.dll
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
01/2015.5.27/15.dll
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
01/2015.5.27/16.rtf
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
01/2015.5.27/16.rtf
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
01/2015.5.27/17.pdf
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
01/2015.5.27/17.pdf
Resource
win10-en-20211208
Behavioral task
behavioral29
Sample
01/2015.5.27/18.doc
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
01/2015.5.27/18.doc
Resource
win10-en-20211208
General
-
Target
01/2015.5.27/09.exe
-
Size
28KB
-
MD5
2a87896e592dd168cad17b3ebcee6121
-
SHA1
af4e6d67ed5bf0434672735aa3946437bbcb1450
-
SHA256
d6f7c6720ba9fa9641906eee74098fc4bc825ac216d95f738a2fa51cf3c00384
-
SHA512
2812622744901f2fd8a9150caa8f576e18d56497a3e04c29954d5939d64cb6a297f52b1beac76be28176ec7bd5a5f787874b850ed23305f2ce6a9ed41060c307
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.EXEpid process 2232 server.EXE -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
server.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4caf7edbf53e7299d3bbbec3f8f4b1b8.exe server.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4caf7edbf53e7299d3bbbec3f8f4b1b8.exe server.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4caf7edbf53e7299d3bbbec3f8f4b1b8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.EXE\" .." server.EXE Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\4caf7edbf53e7299d3bbbec3f8f4b1b8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.EXE\" .." server.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
server.EXEpid process 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE 2232 server.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
server.EXEdescription pid process Token: SeDebugPrivilege 2232 server.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
09.exeserver.EXEdescription pid process target process PID 2716 wrote to memory of 2232 2716 09.exe server.EXE PID 2716 wrote to memory of 2232 2716 09.exe server.EXE PID 2716 wrote to memory of 2232 2716 09.exe server.EXE PID 2232 wrote to memory of 972 2232 server.EXE netsh.exe PID 2232 wrote to memory of 972 2232 server.EXE netsh.exe PID 2232 wrote to memory of 972 2232 server.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\09.exe"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\server.EXE"C:\Users\Admin\AppData\Local\Temp\server.EXE"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.EXE" "server.EXE" ENABLE3⤵PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.EXEMD5
2a87896e592dd168cad17b3ebcee6121
SHA1af4e6d67ed5bf0434672735aa3946437bbcb1450
SHA256d6f7c6720ba9fa9641906eee74098fc4bc825ac216d95f738a2fa51cf3c00384
SHA5122812622744901f2fd8a9150caa8f576e18d56497a3e04c29954d5939d64cb6a297f52b1beac76be28176ec7bd5a5f787874b850ed23305f2ce6a9ed41060c307
-
C:\Users\Admin\AppData\Local\Temp\server.EXEMD5
2a87896e592dd168cad17b3ebcee6121
SHA1af4e6d67ed5bf0434672735aa3946437bbcb1450
SHA256d6f7c6720ba9fa9641906eee74098fc4bc825ac216d95f738a2fa51cf3c00384
SHA5122812622744901f2fd8a9150caa8f576e18d56497a3e04c29954d5939d64cb6a297f52b1beac76be28176ec7bd5a5f787874b850ed23305f2ce6a9ed41060c307
-
memory/2232-118-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/2232-119-0x0000000002313000-0x0000000002315000-memory.dmpFilesize
8KB
-
memory/2716-115-0x0000000000B50000-0x0000000000B61000-memory.dmpFilesize
68KB