f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

30-06-2024 00:59

20-06-2024 02:02

20-06-2024 01:44

19-06-2024 01:10

18-06-2024 20:40

18-06-2024 13:45

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
Size

306KB
MD5

b2303c3eb127d1ce6906d21d9d2d07a5
SHA1

700620e0f8efc992ac38cf32adc1010fee982217
SHA256

3419e0d470f83569be0927128b3e5f992800ceb8f9019fc44763876ed6d8000c
SHA512

4776400cc7d8107122992dce745dc2fa26c90edde6c0f5ec43272f5a21f9a516430765a225dad2c41a33b8d61f50e525973c6d38ca1189d9b49f068c05e73c04
SSDEEP

6144:9SuBf/w62PIghu6aEZjAetG333VhNqn9CqnOqzoKZ0H3ni91dQYdCdU0y:D462BPNGIYqnOqzoKZQ3CdQYIUz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

392 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

392 AcroRd32.exe
392 AcroRd32.exe

pid	process
392	AcroRd32.exe

pid	process
392	AcroRd32.exe
392	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2372 wrote to memory of 2876	2372	cmd.exe	rundll32.exe
PID 2372 wrote to memory of 2876	2372	cmd.exe	rundll32.exe
PID 2372 wrote to memory of 2876	2372	cmd.exe	rundll32.exe
PID 2876 wrote to memory of 2616	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2616	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2616	2876	rundll32.exe	rundll32.exe
PID 2616 wrote to memory of 392	2616	rundll32.exe	AcroRd32.exe
PID 2616 wrote to memory of 392	2616	rundll32.exe	AcroRd32.exe
PID 2616 wrote to memory of 392	2616	rundll32.exe	AcroRd32.exe
PID 2616 wrote to memory of 392	2616	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
34fc4e737491a8140099552f6b419dc3

SHA1
170a9c159789fb063247d0ba0346053d1fdc0c64

SHA256
ecfd7ea1ba36ee6136a88b3d9e55917a1cc9e7322e956b9f48881333f659a21c

SHA512
6a0d4019ff09fa8b07898ca191c2a84fb8e44cef89b630cc2776cdf3825f7b2dae485f2b6c4f013cbe964457fbe60a830dcec5b3de17e7be29dce26c03b29c79

Download Submit