Analysis
-
max time kernel
363s -
max time network
363s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
ACTIVATE____SETUP__4695.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ACTIVATE____SETUP__4695.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
ACTIVATE____SETUP__4695.exe
Resource
win11
General
-
Target
ACTIVATE____SETUP__4695.exe
-
Size
744KB
-
MD5
849bf640bf914ec675b9477a802a22f9
-
SHA1
e1a12595f8c9d48416ec342cd4037a32f3fdda24
-
SHA256
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
-
SHA512
763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Accostarmi.exe.pifpid process 1668 Accostarmi.exe.pif -
Loads dropped DLL 8 IoCs
Processes:
cmd.exeAccostarmi.exe.pifpid process 1528 cmd.exe 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 908 tasklist.exe 748 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 908 tasklist.exe Token: SeDebugPrivilege 748 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Accostarmi.exe.pifpid process 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Accostarmi.exe.pifpid process 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif 1668 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
ACTIVATE____SETUP__4695.execmd.execmd.exedescription pid process target process PID 1876 wrote to memory of 772 1876 ACTIVATE____SETUP__4695.exe dllhost.exe PID 1876 wrote to memory of 772 1876 ACTIVATE____SETUP__4695.exe dllhost.exe PID 1876 wrote to memory of 772 1876 ACTIVATE____SETUP__4695.exe dllhost.exe PID 1876 wrote to memory of 772 1876 ACTIVATE____SETUP__4695.exe dllhost.exe PID 1876 wrote to memory of 1064 1876 ACTIVATE____SETUP__4695.exe cmd.exe PID 1876 wrote to memory of 1064 1876 ACTIVATE____SETUP__4695.exe cmd.exe PID 1876 wrote to memory of 1064 1876 ACTIVATE____SETUP__4695.exe cmd.exe PID 1876 wrote to memory of 1064 1876 ACTIVATE____SETUP__4695.exe cmd.exe PID 1064 wrote to memory of 1528 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1528 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1528 1064 cmd.exe cmd.exe PID 1064 wrote to memory of 1528 1064 cmd.exe cmd.exe PID 1528 wrote to memory of 908 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 908 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 908 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 908 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 1140 1528 cmd.exe find.exe PID 1528 wrote to memory of 1140 1528 cmd.exe find.exe PID 1528 wrote to memory of 1140 1528 cmd.exe find.exe PID 1528 wrote to memory of 1140 1528 cmd.exe find.exe PID 1528 wrote to memory of 748 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 748 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 748 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 748 1528 cmd.exe tasklist.exe PID 1528 wrote to memory of 608 1528 cmd.exe find.exe PID 1528 wrote to memory of 608 1528 cmd.exe find.exe PID 1528 wrote to memory of 608 1528 cmd.exe find.exe PID 1528 wrote to memory of 608 1528 cmd.exe find.exe PID 1528 wrote to memory of 1760 1528 cmd.exe findstr.exe PID 1528 wrote to memory of 1760 1528 cmd.exe findstr.exe PID 1528 wrote to memory of 1760 1528 cmd.exe findstr.exe PID 1528 wrote to memory of 1760 1528 cmd.exe findstr.exe PID 1528 wrote to memory of 1668 1528 cmd.exe Accostarmi.exe.pif PID 1528 wrote to memory of 1668 1528 cmd.exe Accostarmi.exe.pif PID 1528 wrote to memory of 1668 1528 cmd.exe Accostarmi.exe.pif PID 1528 wrote to memory of 1668 1528 cmd.exe Accostarmi.exe.pif PID 1528 wrote to memory of 1660 1528 cmd.exe waitfor.exe PID 1528 wrote to memory of 1660 1528 cmd.exe waitfor.exe PID 1528 wrote to memory of 1660 1528 cmd.exe waitfor.exe PID 1528 wrote to memory of 1660 1528 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Nel.xls2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^HSpZWdXvufzDAYGXjZABuYRJLvHBPEtTIkAzCKbYUuhbCfMdrpLnpmdIqmgmIvGBkAVfbjxBBCGZLxicKsnFSFJoVSzecYfbmLjezbSQPlXHSd$" Questo.xls4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif x4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 aRUpIzAL4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nel.xlsMD5
a338f121bc7c0acf5f297bf85f150b7f
SHA1b1b4dd45417c0907dabf3cd93ea6410c73df5325
SHA2564556a5e53c426abe5565342d9b091134ebc4aaaedafb00454f0a248ff78e1668
SHA512fa6b633dd69bf0cc195b093417001517e3dbe22f516109a4180d853849741b44fe8fc00264135ab8686512dc8b58a01b7727f8c3a89de121b6a176a14f0485c0
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questo.xlsMD5
0d8fea82e82b1fa16b1dc714d106830c
SHA1ee9b15e9c380bbd6ac6431aae8f4625fecb77bec
SHA25636c088f98ef9b8fe659e23f01a15c72b6b9824faedbfd9ae78e00de536f80ed6
SHA512de6dd75f8086aee2a50f4042586400b563dfe5a551195567a7ba3caaaf7c80342f47c6b452f1a97118b02eaf984c2cf350fbc2bf5b0194c6f147f84f3d268494
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.xlsMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1876-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB