8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53

Analysis

max time kernel
239s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
Size

1.5MB
MD5

a83524600f0c8325ea4235f0f4afaa8a
SHA1

dfecbb9aa82d4bffe4709e252b113652ac860e1f
SHA256

8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53
SHA512

621bc5e109dab21100518cc73cd7ff60df202fb17a5870062362dc16aaaeec562d5c170568e1d3df105f7af1125ea6ffa6c925a840c28a23aa5053a94682e15d
SSDEEP

24576:8oV9MQIcSuxwOGyb/qIouL4bPhg/pSgvj98hmDIBXrg6A9tYQIMYYWvlo6AhdprQ:ZV9wWf/XLlj9JMXrgyRNuKEYR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
888	-=Ðûáàëêà v.3.7=-.exe
1284	-=Ðûáàëêà WiFi=-.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
888	-=Ðûáàëêà v.3.7=-.exe
888	-=Ðûáàëêà v.3.7=-.exe
888	-=Ðûáàëêà v.3.7=-.exe
888	-=Ðûáàëêà v.3.7=-.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\user16 = "C:\\Windows\\system32\\winhlp.exe"	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1808	PING.EXE
1032	PING.EXE
1516	PING.EXE
1316	PING.EXE
1764	PING.EXE
1768	PING.EXE
396	PING.EXE
1040	PING.EXE
1752	PING.EXE
892	PING.EXE
524	PING.EXE
1156	PING.EXE
572	PING.EXE
1064	PING.EXE
1528	PING.EXE
1492	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1716	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	28
PID 1696 wrote to memory of 1716	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	28
PID 1696 wrote to memory of 1716	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	28
PID 1696 wrote to memory of 1716	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	28
PID 1716 wrote to memory of 572	1716	cmd.exe	30
PID 1716 wrote to memory of 572	1716	cmd.exe	30
PID 1716 wrote to memory of 572	1716	cmd.exe	30
PID 1716 wrote to memory of 572	1716	cmd.exe	30
PID 1716 wrote to memory of 1064	1716	cmd.exe	31
PID 1716 wrote to memory of 1064	1716	cmd.exe	31
PID 1716 wrote to memory of 1064	1716	cmd.exe	31
PID 1716 wrote to memory of 1064	1716	cmd.exe	31
PID 1716 wrote to memory of 1528	1716	cmd.exe	32
PID 1716 wrote to memory of 1528	1716	cmd.exe	32
PID 1716 wrote to memory of 1528	1716	cmd.exe	32
PID 1716 wrote to memory of 1528	1716	cmd.exe	32
PID 1716 wrote to memory of 396	1716	cmd.exe	33
PID 1716 wrote to memory of 396	1716	cmd.exe	33
PID 1716 wrote to memory of 396	1716	cmd.exe	33
PID 1716 wrote to memory of 396	1716	cmd.exe	33
PID 1716 wrote to memory of 1492	1716	cmd.exe	34
PID 1716 wrote to memory of 1492	1716	cmd.exe	34
PID 1716 wrote to memory of 1492	1716	cmd.exe	34
PID 1716 wrote to memory of 1492	1716	cmd.exe	34
PID 1716 wrote to memory of 892	1716	cmd.exe	35
PID 1716 wrote to memory of 892	1716	cmd.exe	35
PID 1716 wrote to memory of 892	1716	cmd.exe	35
PID 1716 wrote to memory of 892	1716	cmd.exe	35
PID 1716 wrote to memory of 524	1716	cmd.exe	36
PID 1716 wrote to memory of 524	1716	cmd.exe	36
PID 1716 wrote to memory of 524	1716	cmd.exe	36
PID 1716 wrote to memory of 524	1716	cmd.exe	36
PID 1716 wrote to memory of 1516	1716	cmd.exe	37
PID 1716 wrote to memory of 1516	1716	cmd.exe	37
PID 1716 wrote to memory of 1516	1716	cmd.exe	37
PID 1716 wrote to memory of 1516	1716	cmd.exe	37
PID 1716 wrote to memory of 1316	1716	cmd.exe	38
PID 1716 wrote to memory of 1316	1716	cmd.exe	38
PID 1716 wrote to memory of 1316	1716	cmd.exe	38
PID 1716 wrote to memory of 1316	1716	cmd.exe	38
PID 1716 wrote to memory of 1764	1716	cmd.exe	39
PID 1716 wrote to memory of 1764	1716	cmd.exe	39
PID 1716 wrote to memory of 1764	1716	cmd.exe	39
PID 1716 wrote to memory of 1764	1716	cmd.exe	39
PID 1716 wrote to memory of 1040	1716	cmd.exe	40
PID 1716 wrote to memory of 1040	1716	cmd.exe	40
PID 1716 wrote to memory of 1040	1716	cmd.exe	40
PID 1716 wrote to memory of 1040	1716	cmd.exe	40
PID 1716 wrote to memory of 1768	1716	cmd.exe	41
PID 1716 wrote to memory of 1768	1716	cmd.exe	41
PID 1716 wrote to memory of 1768	1716	cmd.exe	41
PID 1716 wrote to memory of 1768	1716	cmd.exe	41
PID 1716 wrote to memory of 1156	1716	cmd.exe	43
PID 1716 wrote to memory of 1156	1716	cmd.exe	43
PID 1716 wrote to memory of 1156	1716	cmd.exe	43
PID 1716 wrote to memory of 1156	1716	cmd.exe	43
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 888	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	42
PID 1696 wrote to memory of 1284	1696	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	44

C:\Users\Admin\AppData\Local\Temp\8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
"C:\Users\Admin\AppData\Local\Temp\8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\x.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:572
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1064
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1528
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:396
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1492
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:892
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:524
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1516
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1316
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1040
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1768
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1156
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1808
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1752
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:1032
- C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe
  "C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:888
- C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe
  "C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe"
  2⤵
  - Executes dropped EXE
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe

Filesize
28KB

MD5
7406f26c79c8bfb0db71e625d692578b

SHA1
e65d490a1e684d39d7a7ac245f8040d7f8b7e392

SHA256
cae761494db7d9e6588eccd90f648a3491394096c81c42b72808e0fca9486fc6

SHA512
7bf09fa51cd3d242cfac2a4df95878e07cef5143fe955d65545138d15f92ed99414dfc2a300d896e6c9d61f1bbe26824245fe39514a114230775ea7f7bdf6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bat

Filesize
365B

MD5
18bfb77affa016adfc9c0eb4c354b869

SHA1
0716942707024085e41bf88ea92c587b45536fe5

SHA256
5fb389fe090b55387651cce98c4c8018334f135b6303b671552c78ef6cffacbc

SHA512
253d4c5cf11e642f8ea71dcde491e954b8b7cc2193a3b1dd18b297a7dc12c705b9af9b2c0e808a1240072d9bafce3489e0eb80b579e07b3b645225cfaa0c19b1

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe

Filesize
28KB

MD5
7406f26c79c8bfb0db71e625d692578b

SHA1
e65d490a1e684d39d7a7ac245f8040d7f8b7e392

SHA256
cae761494db7d9e6588eccd90f648a3491394096c81c42b72808e0fca9486fc6

SHA512
7bf09fa51cd3d242cfac2a4df95878e07cef5143fe955d65545138d15f92ed99414dfc2a300d896e6c9d61f1bbe26824245fe39514a114230775ea7f7bdf6e37

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe

Filesize
28KB

MD5
7406f26c79c8bfb0db71e625d692578b

SHA1
e65d490a1e684d39d7a7ac245f8040d7f8b7e392

SHA256
cae761494db7d9e6588eccd90f648a3491394096c81c42b72808e0fca9486fc6

SHA512
7bf09fa51cd3d242cfac2a4df95878e07cef5143fe955d65545138d15f92ed99414dfc2a300d896e6c9d61f1bbe26824245fe39514a114230775ea7f7bdf6e37

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
\Users\Admin\AppData\Local\Temp\gert0.dll

Filesize
88KB

MD5
33976355fddbceb0fbe54887ee4d1596

SHA1
914c49a8a58605186d7dabeb3a67b88578c84c14

SHA256
51baaf313b57462eaa38aaf69aea6e8dbbc20f3714343817266e7f35bc2235fb

SHA512
be34e4042074da841cfbdbe3a379489b7a968f69a2bb372ce5925e0328d259af2fc0d29d02a787b8d4cfe70158bfc018bf7f6da35c26e670aea847efe3cb8389

Download Submit
memory/396-60-0x0000000000000000-mapping.dmp

Download
memory/524-63-0x0000000000000000-mapping.dmp

Download
memory/572-57-0x0000000000000000-mapping.dmp

Download
memory/888-71-0x0000000000000000-mapping.dmp

Download
memory/892-62-0x0000000000000000-mapping.dmp

Download
memory/1032-85-0x0000000000000000-mapping.dmp

Download
memory/1040-67-0x0000000000000000-mapping.dmp

Download
memory/1064-58-0x0000000000000000-mapping.dmp

Download
memory/1156-70-0x0000000000000000-mapping.dmp

Download
memory/1284-76-0x0000000000000000-mapping.dmp

Download
memory/1316-65-0x0000000000000000-mapping.dmp

Download
memory/1492-61-0x0000000000000000-mapping.dmp

Download
memory/1516-64-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1716-55-0x0000000000000000-mapping.dmp

Download
memory/1752-84-0x0000000000000000-mapping.dmp

Download
memory/1764-66-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x0000000000000000-mapping.dmp

Download
memory/1808-83-0x0000000000000000-mapping.dmp

Download