b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1

Analysis

max time kernel
117s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe
Size

858KB
MD5

248ead3f5f4151f8b6c0daca1f774b4a
SHA1

14242a6c2381629ba506c1eb515f30dc4a7e5bc4
SHA256

b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1
SHA512

c3c90b53d415d2e2cd6c1f7c02c5d665c95c0f92db14164ee2cd7edef1e90dddcc8d78ab6ec3eaaa0311e1d1876d0b7d94ea3f802b88c8f2416ca0c0c9af1977

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Venir.exe.pif

pid process

1132 Venir.exe.pif
Loads dropped DLL 8 IoCs

Processes:

cmd.exeVenir.exe.pif

pid process

1100 cmd.exe
1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1492 tasklist.exe
612 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1492 tasklist.exe
Token: SeDebugPrivilege 612 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Venir.exe.pif

pid process

1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Venir.exe.pif

pid process

1132 Venir.exe.pif
1132 Venir.exe.pif
1132 Venir.exe.pif

pid	process
1132	Venir.exe.pif

pid	process
1100	cmd.exe
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif

pid	process
1492	tasklist.exe
612	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	612	tasklist.exe

pid	process
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif

pid	process
1132	Venir.exe.pif
1132	Venir.exe.pif
1132	Venir.exe.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.execmd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 776	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	svchost.exe
PID 1672 wrote to memory of 776	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	svchost.exe
PID 1672 wrote to memory of 776	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	svchost.exe
PID 1672 wrote to memory of 776	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	svchost.exe
PID 1672 wrote to memory of 1176	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	cmd.exe
PID 1672 wrote to memory of 1176	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	cmd.exe
PID 1672 wrote to memory of 1176	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	cmd.exe
PID 1672 wrote to memory of 1176	1672	b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe	cmd.exe
PID 1176 wrote to memory of 1100	1176	cmd.exe	cmd.exe
PID 1176 wrote to memory of 1100	1176	cmd.exe	cmd.exe
PID 1176 wrote to memory of 1100	1176	cmd.exe	cmd.exe
PID 1176 wrote to memory of 1100	1176	cmd.exe	cmd.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 1148	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 1148	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 1148	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 1148	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 612	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 612	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 612	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 612	1100	cmd.exe	tasklist.exe
PID 1100 wrote to memory of 812	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 812	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 812	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 812	1100	cmd.exe	find.exe
PID 1100 wrote to memory of 1640	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1640	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1640	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1640	1100	cmd.exe	findstr.exe
PID 1100 wrote to memory of 1132	1100	cmd.exe	Venir.exe.pif
PID 1100 wrote to memory of 1132	1100	cmd.exe	Venir.exe.pif
PID 1100 wrote to memory of 1132	1100	cmd.exe	Venir.exe.pif
PID 1100 wrote to memory of 1132	1100	cmd.exe	Venir.exe.pif
PID 1100 wrote to memory of 1716	1100	cmd.exe	waitfor.exe
PID 1100 wrote to memory of 1716	1100	cmd.exe	waitfor.exe
PID 1100 wrote to memory of 1716	1100	cmd.exe	waitfor.exe
PID 1100 wrote to memory of 1716	1100	cmd.exe	waitfor.exe

C:\Users\Admin\AppData\Local\Temp\b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe
"C:\Users\Admin\AppData\Local\Temp\b0429bd948c05044a9bb367e16bf30586ea495f4788c1e7a63ae4b5464f29cd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Apparire.xls
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
4⤵
PID:1148

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:812

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wrnCdnqmuSYKhRoHOYhpaYfkIIZoVapMfaTFXxbOOavoCSixBhvmeVPeNhUHmRENJkcVXCKxAnxqCiIPAEHIWJKzCRS$" Moto.xls
4⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Venir.exe.pif
Venir.exe.pif k
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 BSUQo
4⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparire.xls
MD5
7d05b50377ca99ac50c5948fc93183d8

SHA1
4a79220f4f000a44e79d92a0e08a45d175ec1194

SHA256
2202ec18f9e377506110b7f69b7d834de05c1f5a74af74cde371fa79f65cbbfc

SHA512
333bcd576088ef449cfb083545b9fd8dd49f365ec1a75a2a6692e2b197e49e23f16c036e1b3f79603651c01439bacbd6426fd5513bbc9716402aad1ae6d92bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Moto.xls
MD5
579e203e3d222f8eb222c4c505c63359

SHA1
85901ad211654a42d008113da6acfb88b871676e

SHA256
34b239e6627f04504eac2ce51184407bbe72afa45ad794ef31da427883bdf694

SHA512
42141a66635a6d6206e947408857cb46ca5f66d0d05b6f06a7e046d3e6e330264c2df627365057f9302e27697cd8ff08139242da29d333cbce29f851f4b7d6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sussulto.xls
MD5
a51e9eb34690adb2c91a2dff7f62d1e1

SHA1
cce892a70783af9533554f423a5e6619a4099132

SHA256
bb3c7cfdf4690557f17203cf9a7098c720ebe3c289c965a000694bd0a131a833

SHA512
51fad0f6756b718055e9ab9dce68df199822296a3b16243d2a2d626382df95d33901ae51f489182f39eafd984d17a83e671b14fac64ed8e583b3fd4dc522f325

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Venir.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Venir.exe.pif
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iJyTLu.dll
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/1132-70-0x00000000040C1000-0x00000000040C9000-memory.dmp

Filesize
32KB

Download
memory/1672-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download