7c1b4faa8f4f16ec72f9bd1004328118e439bdb8b9dff10517511259a7ffce1f

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/04/2023, 13:48

Target

palladins.exe
Size

155KB
MD5

5decb43f4c0a36663e2b0d1610233f8a
SHA1

761675a45c81264d5c7b614042952c1c1dad167a
SHA256

7c1b4faa8f4f16ec72f9bd1004328118e439bdb8b9dff10517511259a7ffce1f
SHA512

545aa55135e35491fa5af381835327ed0f954d0f2a45a899fd1d7c2d5dd22dac6dc7148c39d88166fb77d25a8e466fa899f8a9b5d477f472c0c660d17342d27a
SSDEEP

3072:m7DhdC6kzWypvaQ0FxyNTBfgb2zKDSs96vHPR4zImTRPDTS:mBlkZvaF4NTBoSzAZoPRgIGTS

Score

5^/10

ransomware

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shrek.jpg"	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2044	1728	palladins.exe	29
PID 1728 wrote to memory of 2044	1728	palladins.exe	29
PID 1728 wrote to memory of 2044	1728	palladins.exe	29
PID 1728 wrote to memory of 2044	1728	palladins.exe	29
PID 2044 wrote to memory of 1584	2044	cmd.exe	30
PID 2044 wrote to memory of 1584	2044	cmd.exe	30
PID 2044 wrote to memory of 1584	2044	cmd.exe	30
PID 2044 wrote to memory of 580	2044	cmd.exe	31
PID 2044 wrote to memory of 580	2044	cmd.exe	31
PID 2044 wrote to memory of 580	2044	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\palladins.exe
"C:\Users\Admin\AppData\Local\Temp\palladins.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1C6.tmp\1C7.tmp\1C8.bat C:\Users\Admin\AppData\Local\Temp\palladins.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command wget https://cdn.wallpapersafari.com/16/23/sEiG29.jpg -OutFile shrek.jpg
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /f /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\shrek.jpg
    3⤵
    - Sets desktop wallpaper using registry
    PID:580

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

C:\Users\Admin\AppData\Local\Temp\1C6.tmp\1C7.tmp\1C8.bat

Filesize
210B

MD5
134394bb6cf3ec8ae3bada15f9882713

SHA1
66383970b346002e6707a3044b35fc9e756bc63c

SHA256
fb5525c7ad654b48238d1ee68101aaa074a08a7986d75008ecb9c46650ea0f18

SHA512
c077ed621b4752bc4423930acf79f7297a7e982b8e4553223ff3fed148ba9a53ce49e8d9c1f04effab72b2be45d1418bc794e610d3dbdeabae5b82d21f11c298

Download Submit
memory/1584-60-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1584-61-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/1584-62-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1584-64-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1584-63-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1584-65-0x000000000263B000-0x0000000002672000-memory.dmp

Filesize
220KB

Download