119c638ebfa6bfa3e479b9c605697878150dd88bf48e741ca06e0c21a5dc64b5

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YjreQbD.exe
Size

990KB
MD5

f0ee6ef61625a24692eb732cbae38181
SHA1

b0b3947af97884acb97f5bd7adec93174909723c
SHA256

9ed18a0b5e15bd4ecb73c5428e208b5d1b162274cfb0d6c62f7b5c3a04ec4d56
SHA512

f55a977927704fd37e280b3209e2c2512b6f46716a0d85622940b9eb158a0587eb45ec4f4575df97b69a68ee0730fc9a8ebf5a78e5832eceb33758732f707434
SSDEEP

24576:z7WQaGJy0sHg3fyKXLrlX1vFO88UbPdZYLP:WuJ3sA5MoBZ2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1544	Copriva.exe.pif

Loads dropped DLL 1 IoCs

pid	Process
568	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1312	tasklist.exe
640	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1544	Copriva.exe.pif
1544	Copriva.exe.pif
1544	Copriva.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1544	Copriva.exe.pif
1544	Copriva.exe.pif
1544	Copriva.exe.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	28
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	28
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	28
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	28
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	29
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	29
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	29
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	29
PID 848 wrote to memory of 568	848	cmd.exe	31
PID 848 wrote to memory of 568	848	cmd.exe	31
PID 848 wrote to memory of 568	848	cmd.exe	31
PID 848 wrote to memory of 568	848	cmd.exe	31
PID 568 wrote to memory of 1312	568	cmd.exe	32
PID 568 wrote to memory of 1312	568	cmd.exe	32
PID 568 wrote to memory of 1312	568	cmd.exe	32
PID 568 wrote to memory of 1312	568	cmd.exe	32
PID 568 wrote to memory of 1496	568	cmd.exe	33
PID 568 wrote to memory of 1496	568	cmd.exe	33
PID 568 wrote to memory of 1496	568	cmd.exe	33
PID 568 wrote to memory of 1496	568	cmd.exe	33
PID 568 wrote to memory of 640	568	cmd.exe	35
PID 568 wrote to memory of 640	568	cmd.exe	35
PID 568 wrote to memory of 640	568	cmd.exe	35
PID 568 wrote to memory of 640	568	cmd.exe	35
PID 568 wrote to memory of 1460	568	cmd.exe	36
PID 568 wrote to memory of 1460	568	cmd.exe	36
PID 568 wrote to memory of 1460	568	cmd.exe	36
PID 568 wrote to memory of 1460	568	cmd.exe	36
PID 568 wrote to memory of 1860	568	cmd.exe	37
PID 568 wrote to memory of 1860	568	cmd.exe	37
PID 568 wrote to memory of 1860	568	cmd.exe	37
PID 568 wrote to memory of 1860	568	cmd.exe	37
PID 568 wrote to memory of 1544	568	cmd.exe	38
PID 568 wrote to memory of 1544	568	cmd.exe	38
PID 568 wrote to memory of 1544	568	cmd.exe	38
PID 568 wrote to memory of 1544	568	cmd.exe	38
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	39
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	39
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	39
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	39

C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe
"C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Inebriato.wpd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq BullGuardCore.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "bullguardcore.exe"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq PSUAService.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "psuaservice.exe"
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^hnmMYJRRrqYoFrCUDeZcgiwUFGxeTZLSdTQAAjLpnOemEnUaaWmdmmnybFisgOYrfuSMjezssQXAtBfuMwJXAxzRxKeVyzUJPZlnGiyfCiYJCYqVfqFhywCUMqaCZbjYVhKys$" Chiederai.wpd
      4⤵
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
      Copriva.exe.pif o
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
186B

MD5
80f5d7b8923f76f75a9d0b7d869faf70

SHA1
5c727f73630593fdb3e68889adc6fc3b455bca32

SHA256
2469dab56f3df8b32182486bb0cf502c1f37529f89a016909d9ae6da8baa8ec2

SHA512
82a6968865951e260df306004abc01727fcc26344f109bd7251c668a4dd4fcf5056e20c2174ebc5a86ae96f979e5bce60b81b68bb9350c1ea4091bfa4ae918a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
186B

MD5
80f5d7b8923f76f75a9d0b7d869faf70

SHA1
5c727f73630593fdb3e68889adc6fc3b455bca32

SHA256
2469dab56f3df8b32182486bb0cf502c1f37529f89a016909d9ae6da8baa8ec2

SHA512
82a6968865951e260df306004abc01727fcc26344f109bd7251c668a4dd4fcf5056e20c2174ebc5a86ae96f979e5bce60b81b68bb9350c1ea4091bfa4ae918a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiederai.wpd

Filesize
872KB

MD5
4b084812c6fb13ba05a4be0758e66ccf

SHA1
0a2faed7c7e7486c71eb79b14c6e256b6c2b7598

SHA256
5d332940731caff69ab83afc4d6a8d24afbd145ec4ff1df52d89c7fc3005fe8f

SHA512
732800942e1a6660c5aacce488d798e220b959239d93a519ae9a41fd5b471be959077f3b630414ed4de1338f38fc72b551d01bf94801df27b7659104ae16793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Egli.wpd

Filesize
866KB

MD5
c5ac89ff9e331db45cc5c117f6fac7fb

SHA1
39eae354ab757f49538c487de0996ed86dfe4628

SHA256
ef26635708a4a1a6dfefec2d4c434e62a40a14ada8816fd91ffb3b9ea9b49dd3

SHA512
2603880655da83f4304561b25961eadcb693876cfe50fb439e33d9eab89170eb505aee6b1ead3a4f29159cbb8bd053f39154b9c518ca69dc44b930d4509f760e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inebriato.wpd

Filesize
12KB

MD5
0e7fa1e0cf013f39c47894a8cab1888c

SHA1
73f43280ad9becd805cdb3fa73cdd8cee60f5942

SHA256
c30f814d105434302bf0cba8962d19249558fea60d6c7ed1b11693e1d7debe92

SHA512
16f8d55bf1d60d344a3c6ae2e29a3fc6a4ccd5bd083a6dcb003448585a0d6913c6a817ebb16ddd057ef4952e3c80900ef7c6a578f509ea59ef7112d98fc2906d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit