Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
the-setup.exe
Resource
win7-en-20211208
General
-
Target
the-setup.exe
-
Size
727KB
-
MD5
7db33b8774b89cb731339281d85be486
-
SHA1
21a8da797e816d3cd5e111c3f8d66c6d3bbc449b
-
SHA256
0e4c64a675fbce01bc1f600d2d5b19b22f61b0190865689852a566feefbdb081
-
SHA512
c5f66db529be1fc41341a813d978b1f6a704babf4044bf65d479d8c18b9d38491bf29e5da16ea54ac5ed9b0af9349eb8524de8be10375c354c88047d5d1b5108
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Viscere.exe.pifpid process 1632 Viscere.exe.pif -
Loads dropped DLL 8 IoCs
Processes:
cmd.exeViscere.exe.pifpid process 628 cmd.exe 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1544 tasklist.exe 1140 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1544 tasklist.exe Token: SeDebugPrivilege 1140 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Viscere.exe.pifpid process 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Viscere.exe.pifpid process 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif 1632 Viscere.exe.pif -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
the-setup.execmd.execmd.exedescription pid process target process PID 820 wrote to memory of 848 820 the-setup.exe at.exe PID 820 wrote to memory of 848 820 the-setup.exe at.exe PID 820 wrote to memory of 848 820 the-setup.exe at.exe PID 820 wrote to memory of 848 820 the-setup.exe at.exe PID 820 wrote to memory of 1104 820 the-setup.exe cmd.exe PID 820 wrote to memory of 1104 820 the-setup.exe cmd.exe PID 820 wrote to memory of 1104 820 the-setup.exe cmd.exe PID 820 wrote to memory of 1104 820 the-setup.exe cmd.exe PID 1104 wrote to memory of 628 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 628 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 628 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 628 1104 cmd.exe cmd.exe PID 628 wrote to memory of 1544 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1544 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1544 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1544 628 cmd.exe tasklist.exe PID 628 wrote to memory of 760 628 cmd.exe find.exe PID 628 wrote to memory of 760 628 cmd.exe find.exe PID 628 wrote to memory of 760 628 cmd.exe find.exe PID 628 wrote to memory of 760 628 cmd.exe find.exe PID 628 wrote to memory of 1140 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1140 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1140 628 cmd.exe tasklist.exe PID 628 wrote to memory of 1140 628 cmd.exe tasklist.exe PID 628 wrote to memory of 2004 628 cmd.exe find.exe PID 628 wrote to memory of 2004 628 cmd.exe find.exe PID 628 wrote to memory of 2004 628 cmd.exe find.exe PID 628 wrote to memory of 2004 628 cmd.exe find.exe PID 628 wrote to memory of 1884 628 cmd.exe findstr.exe PID 628 wrote to memory of 1884 628 cmd.exe findstr.exe PID 628 wrote to memory of 1884 628 cmd.exe findstr.exe PID 628 wrote to memory of 1884 628 cmd.exe findstr.exe PID 628 wrote to memory of 1632 628 cmd.exe Viscere.exe.pif PID 628 wrote to memory of 1632 628 cmd.exe Viscere.exe.pif PID 628 wrote to memory of 1632 628 cmd.exe Viscere.exe.pif PID 628 wrote to memory of 1632 628 cmd.exe Viscere.exe.pif PID 628 wrote to memory of 1320 628 cmd.exe waitfor.exe PID 628 wrote to memory of 1320 628 cmd.exe waitfor.exe PID 628 wrote to memory of 1320 628 cmd.exe waitfor.exe PID 628 wrote to memory of 1320 628 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\the-setup.exe"C:\Users\Admin\AppData\Local\Temp\the-setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Vedi.accdr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TUoZCCjcVvLcOZmKBbMwdBTPeuuCUrSZzlHEAerndtHzFihCRWyaiMJaqzXcvKBRDLeEaVpmxgLjUApU$" Ieri.accdr4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pifViscere.exe.pif j4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 vIziDdEUzIdfKU4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distrugge.accdrMD5
35e554db7f925ee8822344bddda984b7
SHA1f53cb0394a6e5970bfaaf20becb89386ae89bb83
SHA256c51efc01659c151e013aaa37223620eeebf7feafb44031e466b10fd93226dbae
SHA5121c6d8e762d1856f0db804d84673f84d5f3033cf124c8f7878264339a19ff3b204c3c5bd94f2573ee6e8cfbb99d1ae5a41ecd5679ab5b59627f5cdcb20460a9d3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ieri.accdrMD5
27df7c180bcf92c720ba98c6a4c578c7
SHA1913eb04d4e871b18de913af107ac46fa48f21b50
SHA256cfdd17167c448b21331f2c8a94eb88db9b5f2da31c39fcd23e0136b5a1d928f0
SHA512d3e3153cc7f19bd1a87bbaac7254e7187b6d46c02ebf7786b5c3dbe5d6b5a58ba21a4e1387f764e7d0ab4d19a424d9610c71b643d1c4b8bdfc382fc2fa2cdc9a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedi.accdrMD5
88ab2d2e3e862562fcb8b11835727025
SHA1438e3da92c034c6c139e4a4c269e11fbe5e90c4b
SHA256ad1688407e232daf78895433d38441e85008b431dee7f7b282745524337fe057
SHA512586ae6b67ca3bb50b440d14af390ff15cc685b15fb0fc11264d6ebea530a7d6e105cec59e3a41750958a50856c4604df01fe0d47b973b7efa0df49f76dde685a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1632-71-0x0000000003C41000-0x0000000003C49000-memory.dmpFilesize
32KB