0e4c64a675fbce01bc1f600d2d5b19b22f61b0190865689852a566feefbdb081

Analysis

max time kernel
122s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

the-setup.exe
Size

727KB
MD5

7db33b8774b89cb731339281d85be486
SHA1

21a8da797e816d3cd5e111c3f8d66c6d3bbc449b
SHA256

0e4c64a675fbce01bc1f600d2d5b19b22f61b0190865689852a566feefbdb081
SHA512

c5f66db529be1fc41341a813d978b1f6a704babf4044bf65d479d8c18b9d38491bf29e5da16ea54ac5ed9b0af9349eb8524de8be10375c354c88047d5d1b5108

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Viscere.exe.pif

pid process

1632 Viscere.exe.pif

pid	process
1632	Viscere.exe.pif

Loads dropped DLL 8 IoCs

Processes:

cmd.exeViscere.exe.pif

pid	process
628	cmd.exe
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1544 tasklist.exe
1140 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1544 tasklist.exe
Token: SeDebugPrivilege 1140 tasklist.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Viscere.exe.pif

pid process

1632 Viscere.exe.pif
1632 Viscere.exe.pif
1632 Viscere.exe.pif
1632 Viscere.exe.pif
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Viscere.exe.pif

pid process

1632 Viscere.exe.pif
1632 Viscere.exe.pif
1632 Viscere.exe.pif
1632 Viscere.exe.pif

pid	process
1544	tasklist.exe
1140	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1140	tasklist.exe

pid	process
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif

pid	process
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif
1632	Viscere.exe.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

the-setup.execmd.execmd.exe

description	pid	process	target process
PID 820 wrote to memory of 848	820	the-setup.exe	at.exe
PID 820 wrote to memory of 848	820	the-setup.exe	at.exe
PID 820 wrote to memory of 848	820	the-setup.exe	at.exe
PID 820 wrote to memory of 848	820	the-setup.exe	at.exe
PID 820 wrote to memory of 1104	820	the-setup.exe	cmd.exe
PID 820 wrote to memory of 1104	820	the-setup.exe	cmd.exe
PID 820 wrote to memory of 1104	820	the-setup.exe	cmd.exe
PID 820 wrote to memory of 1104	820	the-setup.exe	cmd.exe
PID 1104 wrote to memory of 628	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 628	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 628	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 628	1104	cmd.exe	cmd.exe
PID 628 wrote to memory of 1544	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1544	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1544	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1544	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 760	628	cmd.exe	find.exe
PID 628 wrote to memory of 760	628	cmd.exe	find.exe
PID 628 wrote to memory of 760	628	cmd.exe	find.exe
PID 628 wrote to memory of 760	628	cmd.exe	find.exe
PID 628 wrote to memory of 1140	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1140	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1140	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 1140	628	cmd.exe	tasklist.exe
PID 628 wrote to memory of 2004	628	cmd.exe	find.exe
PID 628 wrote to memory of 2004	628	cmd.exe	find.exe
PID 628 wrote to memory of 2004	628	cmd.exe	find.exe
PID 628 wrote to memory of 2004	628	cmd.exe	find.exe
PID 628 wrote to memory of 1884	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 1884	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 1884	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 1884	628	cmd.exe	findstr.exe
PID 628 wrote to memory of 1632	628	cmd.exe	Viscere.exe.pif
PID 628 wrote to memory of 1632	628	cmd.exe	Viscere.exe.pif
PID 628 wrote to memory of 1632	628	cmd.exe	Viscere.exe.pif
PID 628 wrote to memory of 1632	628	cmd.exe	Viscere.exe.pif
PID 628 wrote to memory of 1320	628	cmd.exe	waitfor.exe
PID 628 wrote to memory of 1320	628	cmd.exe	waitfor.exe
PID 628 wrote to memory of 1320	628	cmd.exe	waitfor.exe
PID 628 wrote to memory of 1320	628	cmd.exe	waitfor.exe

C:\Users\Admin\AppData\Local\Temp\the-setup.exe
"C:\Users\Admin\AppData\Local\Temp\the-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
2⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Vedi.accdr
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
4⤵
PID:760

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:2004

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TUoZCCjcVvLcOZmKBbMwdBTPeuuCUrSZzlHEAerndtHzFihCRWyaiMJaqzXcvKBRDLeEaVpmxgLjUApU$" Ieri.accdr
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pif
Viscere.exe.pif j
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 vIziDdEUzIdfKU
4⤵
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distrugge.accdr
MD5
35e554db7f925ee8822344bddda984b7

SHA1
f53cb0394a6e5970bfaaf20becb89386ae89bb83

SHA256
c51efc01659c151e013aaa37223620eeebf7feafb44031e466b10fd93226dbae

SHA512
1c6d8e762d1856f0db804d84673f84d5f3033cf124c8f7878264339a19ff3b204c3c5bd94f2573ee6e8cfbb99d1ae5a41ecd5679ab5b59627f5cdcb20460a9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ieri.accdr
MD5
27df7c180bcf92c720ba98c6a4c578c7

SHA1
913eb04d4e871b18de913af107ac46fa48f21b50

SHA256
cfdd17167c448b21331f2c8a94eb88db9b5f2da31c39fcd23e0136b5a1d928f0

SHA512
d3e3153cc7f19bd1a87bbaac7254e7187b6d46c02ebf7786b5c3dbe5d6b5a58ba21a4e1387f764e7d0ab4d19a424d9610c71b643d1c4b8bdfc382fc2fa2cdc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedi.accdr
MD5
88ab2d2e3e862562fcb8b11835727025

SHA1
438e3da92c034c6c139e4a4c269e11fbe5e90c4b

SHA256
ad1688407e232daf78895433d38441e85008b431dee7f7b282745524337fe057

SHA512
586ae6b67ca3bb50b440d14af390ff15cc685b15fb0fc11264d6ebea530a7d6e105cec59e3a41750958a50856c4604df01fe0d47b973b7efa0df49f76dde685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1632-71-0x0000000003C41000-0x0000000003C49000-memory.dmp

Filesize
32KB

Download