9594160451608088b8e987328f0b13fb77d59bc99d27c4faad97e2ad834c5a65

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48ff00102947acd17461bd8cbca9b71.exe
Size

857KB
MD5

f48ff00102947acd17461bd8cbca9b71
SHA1

ee356bc7752fdfe88ae3d5b1decf7e9008ca9223
SHA256

9594160451608088b8e987328f0b13fb77d59bc99d27c4faad97e2ad834c5a65
SHA512

3a9ddd74109aa17fdb2e6724817e96ad707c01f5e78804712c3201c0026f3de9fe103d3894b5682abf24110b6aeaf0ec2729d2c062eac6f6d7b2e299a1cfaa5a
SSDEEP

24576:mD3s67DbEXHWA8u5Hhfyip26+rVgINQu1I/N:4X7cXHOM+rKINQlN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2132	Olive.pif
3064	RegAsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	cmd.exe
2132	Olive.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2908	schtasks.exe
572	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2720	tasklist.exe
2700	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif
3064	RegAsm.exe
2132	Olive.pif
2132	Olive.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeDebugPrivilege	3064	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2132	Olive.pif
2132	Olive.pif
2132	Olive.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	RegAsm.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2816	2040	f48ff00102947acd17461bd8cbca9b71.exe	29
PID 2040 wrote to memory of 2816	2040	f48ff00102947acd17461bd8cbca9b71.exe	29
PID 2040 wrote to memory of 2816	2040	f48ff00102947acd17461bd8cbca9b71.exe	29
PID 2040 wrote to memory of 2816	2040	f48ff00102947acd17461bd8cbca9b71.exe	29
PID 2816 wrote to memory of 2808	2816	cmd.exe	31
PID 2816 wrote to memory of 2808	2816	cmd.exe	31
PID 2816 wrote to memory of 2808	2816	cmd.exe	31
PID 2816 wrote to memory of 2808	2816	cmd.exe	31
PID 2808 wrote to memory of 2720	2808	cmd.exe	33
PID 2808 wrote to memory of 2720	2808	cmd.exe	33
PID 2808 wrote to memory of 2720	2808	cmd.exe	33
PID 2808 wrote to memory of 2720	2808	cmd.exe	33
PID 2808 wrote to memory of 2712	2808	cmd.exe	32
PID 2808 wrote to memory of 2712	2808	cmd.exe	32
PID 2808 wrote to memory of 2712	2808	cmd.exe	32
PID 2808 wrote to memory of 2712	2808	cmd.exe	32
PID 2808 wrote to memory of 2700	2808	cmd.exe	36
PID 2808 wrote to memory of 2700	2808	cmd.exe	36
PID 2808 wrote to memory of 2700	2808	cmd.exe	36
PID 2808 wrote to memory of 2700	2808	cmd.exe	36
PID 2808 wrote to memory of 2608	2808	cmd.exe	35
PID 2808 wrote to memory of 2608	2808	cmd.exe	35
PID 2808 wrote to memory of 2608	2808	cmd.exe	35
PID 2808 wrote to memory of 2608	2808	cmd.exe	35
PID 2808 wrote to memory of 2556	2808	cmd.exe	37
PID 2808 wrote to memory of 2556	2808	cmd.exe	37
PID 2808 wrote to memory of 2556	2808	cmd.exe	37
PID 2808 wrote to memory of 2556	2808	cmd.exe	37
PID 2808 wrote to memory of 2576	2808	cmd.exe	38
PID 2808 wrote to memory of 2576	2808	cmd.exe	38
PID 2808 wrote to memory of 2576	2808	cmd.exe	38
PID 2808 wrote to memory of 2576	2808	cmd.exe	38
PID 2808 wrote to memory of 2536	2808	cmd.exe	39
PID 2808 wrote to memory of 2536	2808	cmd.exe	39
PID 2808 wrote to memory of 2536	2808	cmd.exe	39
PID 2808 wrote to memory of 2536	2808	cmd.exe	39
PID 2808 wrote to memory of 2132	2808	cmd.exe	40
PID 2808 wrote to memory of 2132	2808	cmd.exe	40
PID 2808 wrote to memory of 2132	2808	cmd.exe	40
PID 2808 wrote to memory of 2132	2808	cmd.exe	40
PID 2808 wrote to memory of 1680	2808	cmd.exe	41
PID 2808 wrote to memory of 1680	2808	cmd.exe	41
PID 2808 wrote to memory of 1680	2808	cmd.exe	41
PID 2808 wrote to memory of 1680	2808	cmd.exe	41
PID 2132 wrote to memory of 572	2132	Olive.pif	46
PID 2132 wrote to memory of 572	2132	Olive.pif	46
PID 2132 wrote to memory of 572	2132	Olive.pif	46
PID 2132 wrote to memory of 672	2132	Olive.pif	42
PID 2132 wrote to memory of 672	2132	Olive.pif	42
PID 2132 wrote to memory of 672	2132	Olive.pif	42
PID 672 wrote to memory of 2908	672	cmd.exe	45
PID 672 wrote to memory of 2908	672	cmd.exe	45
PID 672 wrote to memory of 2908	672	cmd.exe	45
PID 2132 wrote to memory of 3064	2132	Olive.pif	47
PID 2132 wrote to memory of 3064	2132	Olive.pif	47
PID 2132 wrote to memory of 3064	2132	Olive.pif	47
PID 2132 wrote to memory of 3064	2132	Olive.pif	47
PID 2132 wrote to memory of 3064	2132	Olive.pif	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f48ff00102947acd17461bd8cbca9b71.exe
"C:\Users\Admin\AppData\Local\Temp\f48ff00102947acd17461bd8cbca9b71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cmd < Maintains & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 9800
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Sold + Transfer + Restructuring + Configure + Reflection + Week 9800\Olive.pif
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Kiss + Nine 9800\c
      4⤵
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\Olive.pif
      9800\Olive.pif 9800\c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\system32\cmd.exe
        
        cmd /c schtasks.exe /create /tn "Cannon" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Cannon" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2908
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "CloudRift" /tr "wscript 'C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:572
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\RegAsm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3064
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 15 localhost
      4⤵
      Runs ping.exe
      PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CloudShift Innovations\CloudRift.pif

Filesize
525KB

MD5
d681645b5236e1c0749eec6d5b0f9812

SHA1
c4953b68563d110ee9363d38638b9f1a1e0d37ff

SHA256
e1b404b1b698e7be95130b350d70646b5faf487786f772e8c8233fc7c94aadd3

SHA512
83f0e452cc9e653fec0a2e4a86feab47627ffb4e726c17d53e70b96f0674b62cd03e1056c82b37159af49dcba871be2511331d2a4ad9ab568272f019461b4f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\Olive.pif

Filesize
34KB

MD5
0f1fad67034163108bc062b590202cc2

SHA1
ac27da267cd3f3d7390ab57609befe995bbb862a

SHA256
f45d4e546a79671c1532ecb485da13ce3c046eb0201c2b87ef8fda8c8132bd7c

SHA512
af30d87d10bedc19d015bf3fd65de23cb32a9dd35a4d598f7f9880cee6c30a09e6e2caf0f0ff3c8684b9420004caa76bf7d25cac632d4a2fdc0eee59264cfa99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\Olive.pif

Filesize
538KB

MD5
a78e1c33d18ad3ac53fd24ed28581726

SHA1
5b356d54c7e42b9a28ad9fa7fd242822057c93e0

SHA256
3cc44296586c00a09edfec6891e5cb5637aa399b4d5517cca797209a031b6102

SHA512
d7bab35ae346dd93fc3e3bb67ca3c5765fc04e81dbf67e617a53dfa6bbbec5f019cce3d72366ac69d175ab29a05c7916fc717831953d63737bf72afbd0b34db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\c

Filesize
19KB

MD5
f74b62f6399639cece936b9f0548a009

SHA1
ebc165fc40ac8c752cb9c91456e8686cc576d709

SHA256
3dc00a9caf8863e9ece734451277cd868fa5d0417868444badff01e4ae958824

SHA512
f229d35690293d8db6fb3c6f0b4cfda3dac7d12aeda89ff2db10898bd15968e21a0b8054620b6ead21b56d8c5eaf03f8ec2c08ce3ba3dabb02332e839793c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Configure

Filesize
122KB

MD5
cb44bfe40c06621b415bc9f8d303ab69

SHA1
dad52fb68862474ee95169861f6ae78c240c75bd

SHA256
fe542b539cd0492d4e5b1a23acb91fdb0dd787f0b141040057328f62fe521ac6

SHA512
80cd711d08dafc6401cadf922dda09fb850b55f17b0f69514de7abec3b9eed8f2e215602d63f97637fe68bc9db9c9d6659f00a3dd15d6ff3adde42db572c4105

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Kiss

Filesize
49KB

MD5
20eafcbdbeb48b8c94dd892dbd4529ed

SHA1
07bf677b2880124723d352fbb8a9a4c9948c1723

SHA256
d2c617aec77a7bf99bbd7587a537f86b5b968cb38ced1f12c8ad42345eb7c463

SHA512
7a8f5b41e7afcced2a6be52ce253bc90d8bf594379d7afeaaae80662948577e80ee2b4e6b592155914ab835abfa7c5879d33bc1d82c26ea2b58dafac99c67c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maintains

Filesize
12KB

MD5
87d218807ae95a7b05552592cbaebfe8

SHA1
08c8ef1cbeb8d326b78c9fb1e1a18b5241180650

SHA256
7b1445f9b72648472ac915e26aae0019507400af5067a41bdfb1d9c4fcd9a9e1

SHA512
39b3655abc32706e2ee582d48c254a0a0a7de34e7a7d997b6b1b5dce39bdb4792de6edfe5ce2dbc575900a111011f5ff38145811243cba3a2ae2d2f461583817

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nine

Filesize
34KB

MD5
4378ebce1928f322b2f3b0925db0eb2d

SHA1
64d2f70ced3fa451e53c08f019401a9734ea382a

SHA256
7539695b61a835354efaaeccdd89f04445ec33f2d3e8abeb9392960d5dab5167

SHA512
94fee5fe45f60764fc8cfcdcbb10c91e55902506394d0073863235bc43577f1b165a5bb5e9dc22245a1748fe1a6cb621e11597ce3b3309446c7a2364c4f1c007

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Reflection

Filesize
234KB

MD5
d0ab06e781ba44d4bd673c8268a716b9

SHA1
90140168a536e7fe25232e961f673e38553e6f15

SHA256
a63aa16f38cb47668359be4b774d9ebf5b08d7b1bdbb09e104d6de0d250cdd4a

SHA512
08cee1e4b3e47e3539afbab8cc393806da2ca21386deb380a7b5d2f6639fb80298f29a2c18d6931fece5a87a3f56c3b559c44ab423e15811afbd69f582750504

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Restructuring

Filesize
211KB

MD5
9e70f6828f507b6c6f12b51653887f66

SHA1
1a6625f1bf0bab012ecaadf4bd99531fe8ccb54e

SHA256
3c14a3923545dde896bf2b4949371228a262f824e7ad8c5329914d59cb2b06ce

SHA512
c1537c9464eef4b5c930bc6e12c9b75ef8484782157b02036ef7fad353e2c7dd26af2047b9fda595b1ca5b0312bdacfd9c840839ea7ef662f3ede165526ccdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sold

Filesize
213KB

MD5
7ca758d842a23282b89528f6a3a023d6

SHA1
1d83cb4e6b5bc20074816da43c557a50398757d3

SHA256
4428bf92a31c3402acb545b5adc77fda40a981d2e02af8eef564da17e8a0a2ea

SHA512
445104619f4d0d0212097f74c576c964f732faf9cbd741a909b18eeff94d905461cdff4ffe99aef5f4813cf89f5a6d7bfd95df961cb863720bf52c0cf57958ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Transfer

Filesize
27KB

MD5
fd9ac65a956b5c563d095b0cff7a4973

SHA1
ceed052efc93ef0f1dd5b6a0c9ae916894f0a5ea

SHA256
1bcd897b84d117c588321b013f6cf8e484ebdb38a58cd8049aa7ceee8cb885af

SHA512
8f22338247ef6bfe33f04b4785e7dd8c79a9782c5f4b4ad8ae705c4d8a0d7542d8a9d92ab4a4070253e92b0cf1ad9b1dbccca55c9ec2974627083507598b2e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Week

Filesize
22KB

MD5
85ae7a4cc929425a9b20a976a42a9b0e

SHA1
7020e64b403bb9e11773bf2304c769f940fabf2d

SHA256
1156ceaef3d94c3a46c25508978766a6e5376c2130af0f4d2084f656f86a5a3a

SHA512
47734cf377b8bd6bd381a26e6c8159b87e412fbf18763729f07bca29606a5e08d574bf1e9a8055889aba89a8b7e43a5ac64c659a814a427bf90175ea731b159b

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\Olive.pif

Filesize
27KB

MD5
70d4ccdede80c6c1b1d7069fd53827f0

SHA1
e70e4aa40490c21d25ec3939d3448dbaa8423b80

SHA256
faa04f9bf0a6721932e7b28aab42d529b6026cd3e09a2d1fdf254f2b13abbbb5

SHA512
693a084d996f77203927a4d51ffb78504b6d786da0427585cee2015fced20c5f94f574798b3d5923caefbc10b63dfca93d0fb61893d6e9f95fc8710fe7c5c08a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9800\RegAsm.exe

Filesize
62KB

MD5
a2284af079c78111b9b72e231b88508f

SHA1
aaa8804fd8577c468c912dd81047582d1ab6e3e0

SHA256
825de4ab6e824963a85f79ed1cd576a93a76d3ac78f2ac975895fe981b7d479a

SHA512
69f791e2f56bf3cb66f31848bb5ede20cab704b9822dca081d818a41d3cdd4a89d3f397c86b5bc2cb2219493b9e2a6e12f62321d66afd42d87ded4079c0ca8ca

Download Submit
memory/2040-0-0x0000000077A20000-0x0000000077AF6000-memory.dmp

Filesize
856KB

Download
memory/2132-39-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3064-42-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3064-46-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-47-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download
memory/3064-48-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-49-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download