Analysis
-
max time kernel
124s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe
Resource
win10-en-20211014
General
-
Target
E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe
-
Size
45.2MB
-
MD5
e54c7926d270556a8431f5a1bd9f170d
-
SHA1
4ee0d0c23e5f02d9baeaadb013a88bf675ab6679
-
SHA256
e3ea35fa7f983485414e4991f7b691f2d8938cd296a186a0f6d83d41d604f424
-
SHA512
7a63d708877c14cdb50b10683338416374ef72d5d88d6daf4a33acf92363fb5635f7d999db84e0b630278070071c8946da03b139d1db1e8b69a951666ce3126c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
setup.exesetup.tmppid process 1764 setup.exe 1724 setup.tmp -
Processes:
resource yara_rule \Program Files (x86)\FinalWire\AIDA64 Business\aida64.exe upx \Program Files (x86)\FinalWire\AIDA64 Business\aida64.exe upx -
Loads dropped DLL 4 IoCs
Processes:
cmd.exesetup.exesetup.tmppid process 320 cmd.exe 1764 setup.exe 1724 setup.tmp 1724 setup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
setup.tmpxcopy.exedescription ioc process File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-698M4.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-53COH.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-EO9UJ.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-2CD79.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons10.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-FCA32.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-B656H.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-DFOMB.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-BM2SL.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-RL2Q7.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-92KUT.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-KBQV2.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-DHRUN.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_bench32.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-J7RLL.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-4O2R7.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-B17TS.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-UQSOT.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida64.exe setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-6FBIO.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-KPG0J.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-NOF0N.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-BS8KV.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\afaapi.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-0Q6JU.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-8EUNC.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-TCNBQ.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-73581.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\pkey.txt xcopy.exe File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\ssleay32.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-OT4I2.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-I82PL.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-4OCGI.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\pkey.txt xcopy.exe File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons2k.dll setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\storelibir-2.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-92QTI.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-DB8R7.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_rcc.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-CAHMP.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-LG5CF.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-A1Q84.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_rcs.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-6G04J.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-16UC5.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-QGEIL.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-A5FFF.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-GBIN5.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-UIVSP.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-R7TR3.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-QT2TR.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-8VNOD.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_uireshd.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-TC77M.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-T4IO9.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\storarc.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-AUIIO.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-HTDMF.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-EOM3N.tmp setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-30BNA.tmp setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_arc.dll setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\CUESDK_2015.dll setup.tmp File opened for modification C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_uires.dll setup.tmp File created C:\Program Files (x86)\FinalWire\AIDA64 Business\is-RSBJ1.tmp setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1660 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
setup.tmppid process 1724 setup.tmp 1724 setup.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup.tmppid process 1724 setup.tmp -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.execmd.exesetup.exedescription pid process target process PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 980 wrote to memory of 320 980 E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe cmd.exe PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 484 320 cmd.exe mode.com PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1660 320 cmd.exe timeout.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 320 wrote to memory of 1764 320 cmd.exe setup.exe PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 1764 wrote to memory of 1724 1764 setup.exe setup.tmp PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1812 320 cmd.exe xcopy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe"C:\Users\Admin\AppData\Local\Temp\E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\mode.commode 132,363⤵PID:484
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exesetup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\is-NH49J.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NH49J.tmp\setup.tmp" /SL5="$10188,83901318,831488,C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1724 -
C:\Windows\SysWOW64\xcopy.exe"xcopy.exe" "Vinny27\pkey.txt" "C:\Program Files (x86)\FinalWire\AIDA64 Business\" /s /i /r /v /k /f /c /h /y3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmdMD5
d98a0e1c48a29ecc3835abbc4af60a8a
SHA1f7e8134df925e3a2a011a59f98d8648a06694037
SHA256f984d4808ec9ff39102c2efbc7750dae8f3750ade91771269ebf482c5ba20370
SHA512e821ce65eae38f53c3a8abb253a670bb00911cdab9e0054a357c4697363b20e3944dfd36f0b1644604a7d462b7296af28f43d54ad5a6e45cb6c9b77f2bbff87e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27\pkey.txtMD5
738b75560f21128d58608ed6a7820e3c
SHA18159b21ca357f3e9d84a1efee8e57ea0472ea229
SHA256ee5bc53d6214ee6e86a84e8eb79c9265665bc0eaa486ddbbf3868ccee91fbb49
SHA512aaf01745545a807297ac32290510961d368ad650acda69805560d6fcdbd4fe9a87e0ede71dd48eba644c5dddc1ec0e1718dc87000f280bf662ab69c904e50930
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exeMD5
1d0116582c0c0c97162b8e2df022a01a
SHA13ac232321ede6c0be10075562c2c2d7ccea7348a
SHA25654aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee
SHA512b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exeMD5
1d0116582c0c0c97162b8e2df022a01a
SHA13ac232321ede6c0be10075562c2c2d7ccea7348a
SHA25654aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee
SHA512b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705
-
C:\Users\Admin\AppData\Local\Temp\is-NH49J.tmp\setup.tmpMD5
dd4ab9a411613c117256eaff11d8bb36
SHA1c80752721462dbca7b6d10b96be020a73346887d
SHA256a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e
SHA512f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f
-
C:\Users\Admin\AppData\Local\Temp\is-NH49J.tmp\setup.tmpMD5
dd4ab9a411613c117256eaff11d8bb36
SHA1c80752721462dbca7b6d10b96be020a73346887d
SHA256a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e
SHA512f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f
-
\Program Files (x86)\FinalWire\AIDA64 Business\aida64.exeMD5
59c97d624349f116f1153b3f9ec1f4aa
SHA1a43b51664205f413c9f4893fd97560915d161898
SHA2568308317be36504375fbf1c50c8e3f35672889d88ef3e787691f2c8ffb43b9540
SHA512a66a4d1b4558bd3e929fbedf2528e405c37fad60551b9b03b745156988be058ea2e85ea369203669551f18ab2cb890b9acf25ff84e45834223d5480601c2ba93
-
\Program Files (x86)\FinalWire\AIDA64 Business\aida64.exeMD5
59c97d624349f116f1153b3f9ec1f4aa
SHA1a43b51664205f413c9f4893fd97560915d161898
SHA2568308317be36504375fbf1c50c8e3f35672889d88ef3e787691f2c8ffb43b9540
SHA512a66a4d1b4558bd3e929fbedf2528e405c37fad60551b9b03b745156988be058ea2e85ea369203669551f18ab2cb890b9acf25ff84e45834223d5480601c2ba93
-
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exeMD5
1d0116582c0c0c97162b8e2df022a01a
SHA13ac232321ede6c0be10075562c2c2d7ccea7348a
SHA25654aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee
SHA512b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705
-
\Users\Admin\AppData\Local\Temp\is-NH49J.tmp\setup.tmpMD5
dd4ab9a411613c117256eaff11d8bb36
SHA1c80752721462dbca7b6d10b96be020a73346887d
SHA256a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e
SHA512f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f
-
memory/320-54-0x0000000000000000-mapping.dmp
-
memory/484-57-0x0000000000000000-mapping.dmp
-
memory/980-53-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1660-59-0x0000000000000000-mapping.dmp
-
memory/1724-70-0x0000000000000000-mapping.dmp
-
memory/1724-74-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1724-73-0x0000000073E91000-0x0000000073E93000-memory.dmpFilesize
8KB
-
memory/1764-68-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1764-63-0x0000000000000000-mapping.dmp
-
memory/1812-78-0x0000000000000000-mapping.dmp