a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe

Analysis

max time kernel
152s
max time network
116s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
Size

300KB
MD5

a0ca29f766a3730142da3ff0fd29038b
SHA1

a433016cb2667f7be1dc50855f6f1a77bce01162
SHA256

a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe
SHA512

5c017125de048f7c68cf50da4e012f48cac015702063dd1afaf0e267ab325b2c41759faa41d349780b2b0c2041fd1ceff03b623d87c7d400bad46475d87057a0
SSDEEP

3072:sYIpFhi9A4gfSIKdbRsQOO1OsobSp0xl6EPpc4VpJzNDdlcjBP:sFfhiq4gfSIctsQObG0xlfPpndiVP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pelum.exe

Executes dropped EXE 1 IoCs

pid	Process
1176	pelum.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /j"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /c"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /d"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /t"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /b"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /v"	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /m"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /w"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /x"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /k"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /a"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /p"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /s"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /q"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /f"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /g"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /e"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /l"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /y"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /i"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /o"	pelum.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /z"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /u"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /v"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /h"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /r"	pelum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pelum = "C:\\Users\\Admin\\pelum.exe /n"	pelum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe
1176	pelum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
1176	pelum.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1176	1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe	27
PID 1000 wrote to memory of 1176	1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe	27
PID 1000 wrote to memory of 1176	1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe	27
PID 1000 wrote to memory of 1176	1000	a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe	27

C:\Users\Admin\AppData\Local\Temp\a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe
"C:\Users\Admin\AppData\Local\Temp\a97d7408915157e446f5e2f853a62de59b5a087516f685764df56be1547224fe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\pelum.exe
  "C:\Users\Admin\pelum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\pelum.exe

Filesize
300KB

MD5
0d86ff12e27dc590ce4249d005aa0bcb

SHA1
a8e2281ff04422dcd8309a56be7a1e387cffdec7

SHA256
f7326a4bc406e4ac1ecee3f9ac8a66b3cb9fa642307c29f06036517f1dddfdb4

SHA512
20ae2711700e24ffc59f4e3bf661fdcc0a0422b7931547b24b4cc7e19ade836785ad2d924e9d161941edfb5b800a37213954393f639f1a3285336b08776b4fa4

Download Submit
C:\Users\Admin\pelum.exe

Filesize
300KB

MD5
0d86ff12e27dc590ce4249d005aa0bcb

SHA1
a8e2281ff04422dcd8309a56be7a1e387cffdec7

SHA256
f7326a4bc406e4ac1ecee3f9ac8a66b3cb9fa642307c29f06036517f1dddfdb4

SHA512
20ae2711700e24ffc59f4e3bf661fdcc0a0422b7931547b24b4cc7e19ade836785ad2d924e9d161941edfb5b800a37213954393f639f1a3285336b08776b4fa4

Download Submit
\Users\Admin\pelum.exe

Filesize
300KB

MD5
0d86ff12e27dc590ce4249d005aa0bcb

SHA1
a8e2281ff04422dcd8309a56be7a1e387cffdec7

SHA256
f7326a4bc406e4ac1ecee3f9ac8a66b3cb9fa642307c29f06036517f1dddfdb4

SHA512
20ae2711700e24ffc59f4e3bf661fdcc0a0422b7931547b24b4cc7e19ade836785ad2d924e9d161941edfb5b800a37213954393f639f1a3285336b08776b4fa4

Download Submit
\Users\Admin\pelum.exe

Filesize
300KB

MD5
0d86ff12e27dc590ce4249d005aa0bcb

SHA1
a8e2281ff04422dcd8309a56be7a1e387cffdec7

SHA256
f7326a4bc406e4ac1ecee3f9ac8a66b3cb9fa642307c29f06036517f1dddfdb4

SHA512
20ae2711700e24ffc59f4e3bf661fdcc0a0422b7931547b24b4cc7e19ade836785ad2d924e9d161941edfb5b800a37213954393f639f1a3285336b08776b4fa4

Download Submit
memory/1000-56-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download