Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    29s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 02:02

General

  • Target

    Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll

  • Size

    353KB

  • MD5

    71b6a493388e7d0b40c83ce903bc6b04

  • SHA1

    34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

  • SHA256

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

  • SHA512

    072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

  • SSDEEP

    6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 03:05
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 03:05
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2604
      • C:\Users\Admin\AppData\Local\Temp\18AF.tmp
        "C:\Users\Admin\AppData\Local\Temp\18AF.tmp" \\.\pipe\{44477BE6-6221-4AB6-9444-42F211AB0561}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2568

Network

    No results found
  • 10.127.0.0:445
    rundll32.exe
    52 B
    1
  • 10.127.0.0:139
    rundll32.exe
    52 B
    1
  • 10.127.0.1:445
    rundll32.exe
    52 B
    1
  • 10.127.0.1:139
    rundll32.exe
    52 B
    1
  • 10.127.0.2:445
    rundll32.exe
    52 B
    1
  • 10.127.0.2:139
    rundll32.exe
    52 B
    1
  • 10.127.0.3:445
    rundll32.exe
    52 B
    1
  • 10.127.0.3:139
    rundll32.exe
    52 B
    1
  • 10.127.0.4:445
    rundll32.exe
    52 B
    1
  • 10.127.0.4:139
    rundll32.exe
    52 B
    1
  • 10.127.0.5:445
    rundll32.exe
    52 B
    1
  • 10.127.0.5:139
    rundll32.exe
    52 B
    1
  • 10.127.0.6:445
    rundll32.exe
    52 B
    1
  • 10.127.0.6:139
    rundll32.exe
    52 B
    1
  • 10.127.0.7:445
    rundll32.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\18AF.tmp

    Filesize

    55KB

    MD5

    7e37ab34ecdcc3e77e24522ddfd4852d

    SHA1

    38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

    SHA256

    02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

    SHA512

    1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

  • memory/3028-0-0x00000000002F0000-0x000000000034E000-memory.dmp

    Filesize

    376KB

  • memory/3028-8-0x00000000002F0000-0x000000000034E000-memory.dmp

    Filesize

    376KB

  • memory/3028-9-0x00000000002F0000-0x000000000034E000-memory.dmp

    Filesize

    376KB

  • memory/3028-11-0x00000000002F0000-0x000000000034E000-memory.dmp

    Filesize

    376KB

  • memory/3028-25-0x00000000002F0000-0x000000000034E000-memory.dmp

    Filesize

    376KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.