Analysis

  • max time kernel
    43s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18/04/2022, 21:07

General

  • Target

    b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe

  • Size

    1.0MB

  • MD5

    cecb88d07ae96dcfe8c2c36fa096fb41

  • SHA1

    c9c84b92a258e49289b8195b6b8509a9960c5495

  • SHA256

    b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42

  • SHA512

    a76e008687d948a34903de4ac4339e253664002d9e602c70b461373c17c197001af3ca74e0724505329bab0b720ac3c56838f0efb9663f841579b9ee24f8db8e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
    "C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Prende.avi
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "imagename eq BullGuardCore.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1744
        • C:\Windows\SysWOW64\find.exe
          find /I /N "bullguardcore.exe"
          4⤵
            PID:2000
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "imagename eq PSUAService.exe"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Windows\SysWOW64\find.exe
            find /I /N "psuaservice.exe"
            4⤵
              PID:1736
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^NUUynCAavFAplJqoVmuufnwKZBZrOIjeTJnZmiZkDkIOfSUZXlxJinxfTluWCvDOzbdBlwJOmVCtQjcuHZuEhCVcgpyfwrIiHUcRCaPWAGpjVdmGPZgDdZAQCVjwVxMvj$" Sta.avi
              4⤵
                PID:1700
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif
                Facilita.exe.pif v
                4⤵
                • Executes dropped EXE
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1756
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
            2⤵
            • Deletes itself
            PID:764

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                Filesize

                300B

                MD5

                00c8bb4c8deebfc13bdbef52a5e68288

                SHA1

                110beb6ebed3f132f67d1b0c11aed92688fc2087

                SHA256

                f5dba9dc47ac79267fd75bafd0b4aa7c1a9c264758fde79c4f433a52b1c569bf

                SHA512

                8a0ccf53135e38357c0038c4db199bafc1b5101a8a8c5ccb69f4f0d1b3f45ee499a09eed9ce81421ce9304ec26915ea44e28d0d44ced469cb31e4c86e065389b

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif

                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif

                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Piu.avi

                Filesize

                886KB

                MD5

                aea8833bffe4ce594e3c4e91221c8af5

                SHA1

                409a0890a367cd616332e12595a99d59a7202252

                SHA256

                90d76daf5aa4b3e943d7c62b4b0d6158b27b701681de367fea5a68f783a4d68c

                SHA512

                d71d5b3cbdedc93d3765633e4bcf6773dccf757e6b4a2577ba4b50f00d846df9ebdb2a798dff5792113473c2c87143dfad7560993eaf8e56a0abdf34b3e40e32

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Prende.avi

                Filesize

                12KB

                MD5

                7b4e1751aede86d7ea3baf70197d5100

                SHA1

                d0e0d38a082856099dc4281cd1aa682967f0ec30

                SHA256

                dd31a753bb208ab540d90b59403d5fb3fde0a9e9cb3e34fabdce32f4eb96a6de

                SHA512

                187deed79b33ae102de3315463add8c4a0463e851b9beadecdf322626513f5f405e1a2d4fe11f2e6046816a3eb346b1191be109d6d29e8f783a4e0b2f13f12c6

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.avi

                Filesize

                872KB

                MD5

                78f6902df03a74470cc85906d390bf68

                SHA1

                2a07d672c000e26c8953e9e8c8ff0c1c33db9d06

                SHA256

                0d07d4825c918b092fde380263aaae1d08a6081456dd406c7485588bea625c5a

                SHA512

                fb472adfef4d72f2762bafc364558c5b186019d3aad314256e54335c6366f42f49e6061606e74dcbd246333375b528ee5d4dd105538fe3b1be7cfabdc03b789a

              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif

                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              • memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

                Filesize

                8KB