893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
Size

364KB
MD5

72c482ad8052388343956fe092465e7c
SHA1

6b301063661ce24464060938823554a4d2e411d4
SHA256

893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321
SHA512

6318d94e1adff12fa42fb05d3a46bef337577ec68ba4cf993012d422c5ae09f6d928b936346538c75891085253565caee30614fa18cbb76586a96fa0324b3f3d
SSDEEP

6144:CbXE9OiTGfhEClq9ztilm4CNyG+4GgDNxDiRVBHePLBQsL:qU9XiuiitImy7wxQVB+TBQsL

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1924	pipipipipi.exe

Loads dropped DLL 5 IoCs

pid	Process
752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\3t.jpg	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
File opened for modification	C:\Program Files (x86)\ololo\pipipipipi.exe	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
File opened for modification	C:\Program Files (x86)\ololo\olololo.bat	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
File opened for modification	C:\Program Files (x86)\ololo\p.txt	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
File opened for modification	C:\Program Files (x86)\ololo\3t.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
784	1924	WerFault.exe	30

Runs .reg file with regedit 1 IoCs

pid	Process
320	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1124	DllHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2044	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	28
PID 752 wrote to memory of 2044	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	28
PID 752 wrote to memory of 2044	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	28
PID 752 wrote to memory of 2044	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	28
PID 752 wrote to memory of 1924	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	30
PID 752 wrote to memory of 1924	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	30
PID 752 wrote to memory of 1924	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	30
PID 752 wrote to memory of 1924	752	893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe	30
PID 2044 wrote to memory of 320	2044	cmd.exe	32
PID 2044 wrote to memory of 320	2044	cmd.exe	32
PID 2044 wrote to memory of 320	2044	cmd.exe	32
PID 2044 wrote to memory of 320	2044	cmd.exe	32
PID 1924 wrote to memory of 784	1924	pipipipipi.exe	34
PID 1924 wrote to memory of 784	1924	pipipipipi.exe	34
PID 1924 wrote to memory of 784	1924	pipipipipi.exe	34
PID 1924 wrote to memory of 784	1924	pipipipipi.exe	34

C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe
"C:\Users\Admin\AppData\Local\Temp\893d8f4eab9a1ca1002b6f0b4e86586e03b7ca5b9dc19e01fae9bec8b15f7321.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\ololo\olololo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\regedit.exe
    regedit -s snapshot.reg
    3⤵
    - Runs .reg file with regedit
    PID:320
- C:\Program Files (x86)\ololo\pipipipipi.exe
  "C:\Program Files (x86)\ololo\pipipipipi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\3t.jpg

Filesize
52KB

MD5
20fa9a18bcc7d0ac56752235bda71ff1

SHA1
bfc38d50c995dac42388c9681f31e3bffb12048c

SHA256
18a663b6b5cd7298af8ebe47c29d7c4f150b2864cfd5599723b82245f6846dcc

SHA512
ae0fb6491e2f0d7be6150189516afaa0225e82cb7809392667f3a3131e74270ba4e265c2878bb159ba1ff5656275eeb439fccbf5abe28ca49bee7294541778cb

Download Submit
C:\Program Files (x86)\ololo\olololo.bat

Filesize
56KB

MD5
e5af3dd46df77c166f55378507c5cbcb

SHA1
c2e5ff64d3e2fe0dcd2960164219f0031619653a

SHA256
3185d610a530e91e62fc95cd3c8b3df333d3254524417afc945b4c32b3e8d918

SHA512
0cab1d707b450588e579e099dad31f6c300d03b461ac12cfb8eabcc3ebe1d91859d2454cd82845d6ab233086397ac760fa7ebadcb3ad8871f32a6b96fcc42bec

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
2B

MD5
ac627ab1ccbdb62ec96e702f07f6425b

SHA1
9a79be611e0267e1d943da0737c6c51be67865a0

SHA256
8c1f1046219ddd216a023f792356ddf127fce372a72ec9b4cdac989ee5b0b455

SHA512
6781a9e05f5e327a138f3d09ce0211ce4f166d940a14b46373e44402a3f3754cab4109f62c50777cbc1e3c4f1b8e6234e8d0b41281571bf0e1bd480c12149830

Download Submit
C:\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
\Program Files (x86)\ololo\pipipipipi.exe

Filesize
253KB

MD5
f4ab00e8243d57e5f8fe2cb1748b94d3

SHA1
f485809a23c8d262c06e7a5aa3784d3049baa42e

SHA256
86e066b3d95e48fb9c9f81afdb4b19d3b40d32013a81ea57246ab8ab74f74ddd

SHA512
6eafd26bba65c381090e449d83f9c419c479d1d30d0c37848af7dfd78174e7f34a37442e0a0d6f83fd182a105dcf5e6658d5a0e4594418bb38be5a78b4443cb5

Download Submit
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download