Analysis
-
max time kernel
148s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/02/2023, 14:44
Static task
static1
Behavioral task
behavioral1
Sample
E&V - PO.61370025177.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
E&V - PO.61370025177.exe
Resource
win10v2004-20230220-en
General
-
Target
E&V - PO.61370025177.exe
-
Size
903KB
-
MD5
cc2e6a027d9a95e1b2df73f1b0350107
-
SHA1
0d0899b4940db158978fa66d92e40e0c013d3e1d
-
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
-
SHA512
33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
SSDEEP
24576:j9JiT/gnOmk/3T911111111111111dODiRu4N:2gny11111111111111GiR5
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk E&V - PO.61370025177.exe -
Executes dropped EXE 3 IoCs
pid Process 1228 kdiurdjk.exe 1044 Xapfnzes.exe 884 Xapfnzes.exe -
Loads dropped DLL 3 IoCs
pid Process 512 cmd.exe 1228 kdiurdjk.exe 1044 Xapfnzes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1228 set thread context of 432 1228 kdiurdjk.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2016 PING.EXE 1108 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe 1712 E&V - PO.61370025177.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1712 E&V - PO.61370025177.exe Token: SeDebugPrivilege 1228 kdiurdjk.exe Token: SeDebugPrivilege 1044 Xapfnzes.exe Token: SeDebugPrivilege 884 Xapfnzes.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1712 wrote to memory of 512 1712 E&V - PO.61370025177.exe 28 PID 1712 wrote to memory of 512 1712 E&V - PO.61370025177.exe 28 PID 1712 wrote to memory of 512 1712 E&V - PO.61370025177.exe 28 PID 1712 wrote to memory of 512 1712 E&V - PO.61370025177.exe 28 PID 512 wrote to memory of 2016 512 cmd.exe 30 PID 512 wrote to memory of 2016 512 cmd.exe 30 PID 512 wrote to memory of 2016 512 cmd.exe 30 PID 512 wrote to memory of 2016 512 cmd.exe 30 PID 512 wrote to memory of 1108 512 cmd.exe 31 PID 512 wrote to memory of 1108 512 cmd.exe 31 PID 512 wrote to memory of 1108 512 cmd.exe 31 PID 512 wrote to memory of 1108 512 cmd.exe 31 PID 512 wrote to memory of 1228 512 cmd.exe 32 PID 512 wrote to memory of 1228 512 cmd.exe 32 PID 512 wrote to memory of 1228 512 cmd.exe 32 PID 512 wrote to memory of 1228 512 cmd.exe 32 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 432 1228 kdiurdjk.exe 33 PID 1228 wrote to memory of 1044 1228 kdiurdjk.exe 34 PID 1228 wrote to memory of 1044 1228 kdiurdjk.exe 34 PID 1228 wrote to memory of 1044 1228 kdiurdjk.exe 34 PID 1228 wrote to memory of 1044 1228 kdiurdjk.exe 34 PID 1044 wrote to memory of 884 1044 Xapfnzes.exe 35 PID 1044 wrote to memory of 884 1044 Xapfnzes.exe 35 PID 1044 wrote to memory of 884 1044 Xapfnzes.exe 35 PID 1044 wrote to memory of 884 1044 Xapfnzes.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 173⤵
- Runs ping.exe
PID:2016
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 173⤵
- Runs ping.exe
PID:1108
-
-
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
56B
MD59e319cbe777ecae1ee1887e2de877c4d
SHA1d29eac8a59db410f78e411ebb50b6f0a88278956
SHA256356fdbad92662ebc2d37cf17b5c9d43a8603c85d87ede57ec60c865f7c0d4b51
SHA5126041d8191e95dd71ae5c50f4fb7d98f012ed2d6f4f7ea291e4a9f129a8eb556f5f58aad0e3088ae37d3ca8b8907edabb52ea869b0b5153b17f3585b1cf2e7419
-
Filesize
56B
MD59e319cbe777ecae1ee1887e2de877c4d
SHA1d29eac8a59db410f78e411ebb50b6f0a88278956
SHA256356fdbad92662ebc2d37cf17b5c9d43a8603c85d87ede57ec60c865f7c0d4b51
SHA5126041d8191e95dd71ae5c50f4fb7d98f012ed2d6f4f7ea291e4a9f129a8eb556f5f58aad0e3088ae37d3ca8b8907edabb52ea869b0b5153b17f3585b1cf2e7419
-
Filesize
54B
MD57d075c70b0166f4e2b600fadcbf5913f
SHA12f6df8024ff20201252a0719d34b5c846c82ed4a
SHA256b7e9a859acbc41dc53c4aca48bcd4daf9e444dae230558675a310cba06f7e4c2
SHA512a2f6430db7aa2aece8119be80e52b831f0f0a8dd133539f85729fded2e02196fdec40ede18e0f0e6464357ba99fa5aac33596f90df5c37980d2b016166cedbce
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
903KB
MD5cc2e6a027d9a95e1b2df73f1b0350107
SHA10d0899b4940db158978fa66d92e40e0c013d3e1d
SHA256e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
SHA51233721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a