Analysis
-
max time kernel
90s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22/06/2022, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe
Resource
win7-20220414-en
General
-
Target
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe
-
Size
1.9MB
-
MD5
2ee3f4df877529652dda4e1216b3948e
-
SHA1
aac8923c22c9cd61afef7f4676e13821cbf7284e
-
SHA256
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb
-
SHA512
f82af94112c2fcfb9686ae7b19b25dba8d7e46fbd55945f8b91a5863a728fb7153201097b45415db38bad3a4981a5a9f8bfb2886d51cb92c2f4300f7d7a77390
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1788 Per.exe.com 1016 Per.exe.com -
Loads dropped DLL 1 IoCs
pid Process 1720 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1484 PING.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1440 wrote to memory of 1768 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 28 PID 1440 wrote to memory of 1768 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 28 PID 1440 wrote to memory of 1768 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 28 PID 1440 wrote to memory of 1768 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 28 PID 1440 wrote to memory of 1772 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 30 PID 1440 wrote to memory of 1772 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 30 PID 1440 wrote to memory of 1772 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 30 PID 1440 wrote to memory of 1772 1440 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 30 PID 1772 wrote to memory of 1720 1772 cmd.exe 32 PID 1772 wrote to memory of 1720 1772 cmd.exe 32 PID 1772 wrote to memory of 1720 1772 cmd.exe 32 PID 1772 wrote to memory of 1720 1772 cmd.exe 32 PID 1720 wrote to memory of 2012 1720 cmd.exe 33 PID 1720 wrote to memory of 2012 1720 cmd.exe 33 PID 1720 wrote to memory of 2012 1720 cmd.exe 33 PID 1720 wrote to memory of 2012 1720 cmd.exe 33 PID 1720 wrote to memory of 1788 1720 cmd.exe 34 PID 1720 wrote to memory of 1788 1720 cmd.exe 34 PID 1720 wrote to memory of 1788 1720 cmd.exe 34 PID 1720 wrote to memory of 1788 1720 cmd.exe 34 PID 1720 wrote to memory of 1484 1720 cmd.exe 35 PID 1720 wrote to memory of 1484 1720 cmd.exe 35 PID 1720 wrote to memory of 1484 1720 cmd.exe 35 PID 1720 wrote to memory of 1484 1720 cmd.exe 35 PID 1788 wrote to memory of 1016 1788 Per.exe.com 36 PID 1788 wrote to memory of 1016 1788 Per.exe.com 36 PID 1788 wrote to memory of 1016 1788 Per.exe.com 36 PID 1788 wrote to memory of 1016 1788 Per.exe.com 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe"C:\Users\Admin\AppData\Local\Temp\2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Tmqp2⤵PID:1768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Ebbene.tif2⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^olbWzuGsDjNJLqKVecIMawnynPQVOOEbgFuctWvIrlmMslNTQrohAawuLanDfKDOHfxyTfQuZqIoCLOheXyLGsXWEqJMbSazHKyeQHZBjwg$" Ricomincia.ppsm4⤵PID:2012
-
-
C:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.comPer.exe.com o4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.comC:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.com o5⤵
- Executes dropped EXE
PID:1016
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1484
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD537d64db57fd752986e622543824e0725
SHA1b60b7fed41991144e1ebad4b39b2412a36fa195c
SHA25636e19eb1e5d62ada20ffe19e391429cba8d8d8dae5049efa0e48e7e542782d78
SHA51274f916e1ff9bce2bb420ab5505d9828e64a3d4e23cb97d3043a7a3378d92ef11e031ed186246135409102d4bdc35929d652e8c30b7445f896cdee7082b058b50
-
Filesize
887KB
MD5bad56ae474914adabb5dc6809e3f5dd1
SHA1cf6165513ed373d5ad5ebeb1cb4ddf417bdc17dd
SHA25602eb64fc3ba40f3774a6fde8c0dcfc50bb9c34d83391f907271fcaff58814223
SHA5126b283363c60d8030a72629e6aa9ba355346e28bf736a10fbd2dc8e9b74ac1ffb45918125cc81e1929a1a8194e298676e614d5661addbab39a3461173b4ba9e81
-
Filesize
598KB
MD51075d9c9ddc5021e95c8f81a8410d29b
SHA15e071d8362ef3d46779d761969e82055385a9ae4
SHA256596b2e47f3cd2b9cb75cf1ed1eeec58f0564eb8c6e8d64cb3610b0ae2d80ec2f
SHA512f611d1ccdb87a12315567e491b59e36127017c92791cd89b77f681d520ce6d6b2972701daea39204e15539b65452c0b5e887af559b683d328e325415327ff993
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
921KB
MD5773ac9dd64caeec02da29baa94ed9d46
SHA17a03637337ef579e1d3c48c451e07fee4b5b40df
SHA256e810ef8c05059226d79d8b780d4aa8e79f37344a82005e5abcaf02ff5b22cdc0
SHA5129247f617380c38a3914c667cf0695a0c6707408184f6bb3a387df55b35cbd7be1e10c6062c62ae0b0ff36d7c3ddf1f7565d8c041aeec34b71898f27aa30d4e73
-
Filesize
598KB
MD51075d9c9ddc5021e95c8f81a8410d29b
SHA15e071d8362ef3d46779d761969e82055385a9ae4
SHA256596b2e47f3cd2b9cb75cf1ed1eeec58f0564eb8c6e8d64cb3610b0ae2d80ec2f
SHA512f611d1ccdb87a12315567e491b59e36127017c92791cd89b77f681d520ce6d6b2972701daea39204e15539b65452c0b5e887af559b683d328e325415327ff993
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317