Analysis

  • max time kernel
    54s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14/06/2022, 22:02

General

  • Target

    2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe

  • Size

    1.8MB

  • MD5

    fc858cc2dc379c90ce729dcd4b58a4a4

  • SHA1

    e5fa397a9053ac198b08aba3da3ada0304b94b32

  • SHA256

    2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e

  • SHA512

    3f925fecb3a0d6748e0475fe7be238394cbff453d9dae65db2863e59b01a8202de216e4181a03d1d5aa612f978212dda29120271e8170fae9a763ff5f141496f

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe
    "C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Lui.xltx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^DLJyiWOjFRXkEfehEjtbrnPYMsFWnKxNWzEcSkYjeoxprDGXReUaPfptWLzQdSNVbpgkKGxzhRxVtGUpLIyvPwYGpmmiSoWlx$" Estate.xltx
          4⤵
            PID:2012
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
            Oggi.exe.com t
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com t
              5⤵
              • Executes dropped EXE
              PID:1936
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            4⤵
            • Runs ping.exe
            PID:1484

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avra.xltx

      Filesize

      894KB

      MD5

      3fbfca6a122bc342d3ddcee17303db89

      SHA1

      7ada094aba1b5861b25d937285814e84b220564f

      SHA256

      d286dc81f29d1f9473a6da25597fb3bed4ac923360e7b1fbfe22752b39d22cbe

      SHA512

      62f75af73a289975abfc2d8a314e616742db69229f705a96e6e62a0c81853f0aec79c358047bb86d6ff56242c3adfcd03bc99d12913e68e1f005a3488695cd0b

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Estate.xltx

      Filesize

      872KB

      MD5

      f90146ea7b535f5818cfbe015d0b0dbd

      SHA1

      c9e85c4a87e8d8dff2cfff62c1936a920232d6e0

      SHA256

      16e970c4f84b633bc0df5fc6d2dffecb0781a514fe52a45b25e479073efb5ad6

      SHA512

      3f16c5e7136c65ef90c87788653fb9c177b49b22363f2ae24aa3105718c3a67d247b16de507dbf9bcd7e17f7079ad6c7678a19e40b6cc208725cb2451e6f8914

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lui.xltx

      Filesize

      329B

      MD5

      6c789bc49e35af75b40caf1bd6da59cb

      SHA1

      fd1504f2f8676250072bb59c1513ed3ad25ce348

      SHA256

      d9969d44961356fae2d7b6c6a4758b7c4dbea557886e00a42e57c68cdc168b79

      SHA512

      07748b08ab50f98584e4223486c71cdf41b1f945cbe0ed1b2c0c45f4eaa649ffa5fc58f2c5b4024bced44d81f23a3c7f5b8256c9389f4b9d57b5699ecd949001

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.xltx

      Filesize

      682KB

      MD5

      b01e4db185b6b980945c1ea329ab6e49

      SHA1

      112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476

      SHA256

      db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592

      SHA512

      ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\t

      Filesize

      682KB

      MD5

      b01e4db185b6b980945c1ea329ab6e49

      SHA1

      112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476

      SHA256

      db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592

      SHA512

      ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • memory/1768-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

      Filesize

      8KB