96913da5c4d6922d34b872708846772f9402dd2529bbce6bc4d4dfc3078b35bd

General

Target

E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe
Size

45.2MB
MD5

e54c7926d270556a8431f5a1bd9f170d
SHA1

4ee0d0c23e5f02d9baeaadb013a88bf675ab6679
SHA256

e3ea35fa7f983485414e4991f7b691f2d8938cd296a186a0f6d83d41d604f424
SHA512

7a63d708877c14cdb50b10683338416374ef72d5d88d6daf4a33acf92363fb5635f7d999db84e0b630278070071c8946da03b139d1db1e8b69a951666ce3126c

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

setup.exesetup.tmp

pid process

3948 setup.exe
724 setup.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3948	setup.exe
724	setup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

setup.tmpxcopy.exe

description	ioc	process
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-H2HBG.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-5VCPN.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\afaapi.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-2K0E2.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-DVN9M.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-LUUBG.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons10.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-RE1LK.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-19UH4.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-8I4LN.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-329BO.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida64.chm	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_bench32.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_mondiag.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-VB0QF.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-EEIS2.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-IL86J.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-5VQ6R.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-O6NT9.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-JHK9E.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\pkey.txt	xcopy.exe
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons2k.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-0977K.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-G0O66.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-BHR1D.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_bench64.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storelib.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-3EOPI.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-T8QAU.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-NDRQS.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-DAUL8.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-EL7MD.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\ssleay32.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-RP8MT.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-AF156.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storarc.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-RQ4R7.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-L1VPE.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-G2JVO.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-L6UMS.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-9CK1A.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_uireshd.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-MS61U.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-E0K6J.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_helper64.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-839JC.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_arc.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-FB8T2.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-2HFQJ.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-0ETSH.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-4LFOK.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_rcc.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-76L02.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storelibir-2.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-8Q1VL.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-GB2K1.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-KAHK8.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-V920F.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-3I5KO.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-GDTGI.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\libeay32.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-M24E8.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\unins000.dat	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3204 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

setup.tmp

pid process

724 setup.tmp
724 setup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.tmp

pid process

724 setup.tmp

pid	process
3204	timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
724	setup.tmp
724	setup.tmp

pid	process
724	setup.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.execmd.exesetup.exe

description	pid	process	target process
PID 1524 wrote to memory of 792	1524	E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe	cmd.exe
PID 1524 wrote to memory of 792	1524	E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe	cmd.exe
PID 1524 wrote to memory of 792	1524	E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe	cmd.exe
PID 792 wrote to memory of 1356	792	cmd.exe	mode.com
PID 792 wrote to memory of 1356	792	cmd.exe	mode.com
PID 792 wrote to memory of 1356	792	cmd.exe	mode.com
PID 792 wrote to memory of 3204	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 3204	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 3204	792	cmd.exe	timeout.exe
PID 792 wrote to memory of 3948	792	cmd.exe	setup.exe
PID 792 wrote to memory of 3948	792	cmd.exe	setup.exe
PID 792 wrote to memory of 3948	792	cmd.exe	setup.exe
PID 3948 wrote to memory of 724	3948	setup.exe	setup.tmp
PID 3948 wrote to memory of 724	3948	setup.exe	setup.tmp
PID 3948 wrote to memory of 724	3948	setup.exe	setup.tmp
PID 792 wrote to memory of 380	792	cmd.exe	xcopy.exe
PID 792 wrote to memory of 380	792	cmd.exe	xcopy.exe
PID 792 wrote to memory of 380	792	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe
"C:\Users\Admin\AppData\Local\Temp\E3EA35FA7F983485414E4991F7B691F2D8938CD296A186A0F6D83D41D604F424.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\mode.com
mode 132,36
3⤵
PID:1356

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3204

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\is-77UBH.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-77UBH.tmp\setup.tmp" /SL5="$60080,83901318,831488,C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:724

C:\Windows\SysWOW64\xcopy.exe
"xcopy.exe" "Vinny27\pkey.txt" "C:\Program Files (x86)\FinalWire\AIDA64 Business\" /s /i /r /v /k /f /c /h /y
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd
MD5
d98a0e1c48a29ecc3835abbc4af60a8a

SHA1
f7e8134df925e3a2a011a59f98d8648a06694037

SHA256
f984d4808ec9ff39102c2efbc7750dae8f3750ade91771269ebf482c5ba20370

SHA512
e821ce65eae38f53c3a8abb253a670bb00911cdab9e0054a357c4697363b20e3944dfd36f0b1644604a7d462b7296af28f43d54ad5a6e45cb6c9b77f2bbff87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27\pkey.txt
MD5
738b75560f21128d58608ed6a7820e3c

SHA1
8159b21ca357f3e9d84a1efee8e57ea0472ea229

SHA256
ee5bc53d6214ee6e86a84e8eb79c9265665bc0eaa486ddbbf3868ccee91fbb49

SHA512
aaf01745545a807297ac32290510961d368ad650acda69805560d6fcdbd4fe9a87e0ede71dd48eba644c5dddc1ec0e1718dc87000f280bf662ab69c904e50930

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
MD5
1d0116582c0c0c97162b8e2df022a01a

SHA1
3ac232321ede6c0be10075562c2c2d7ccea7348a

SHA256
54aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee

SHA512
b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
MD5
1d0116582c0c0c97162b8e2df022a01a

SHA1
3ac232321ede6c0be10075562c2c2d7ccea7348a

SHA256
54aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee

SHA512
b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-77UBH.tmp\setup.tmp
MD5
dd4ab9a411613c117256eaff11d8bb36

SHA1
c80752721462dbca7b6d10b96be020a73346887d

SHA256
a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e

SHA512
f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-77UBH.tmp\setup.tmp
MD5
dd4ab9a411613c117256eaff11d8bb36

SHA1
c80752721462dbca7b6d10b96be020a73346887d

SHA256
a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e

SHA512
f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f

Download Submit
memory/380-129-0x0000000000000000-mapping.dmp

Download
memory/724-125-0x0000000000000000-mapping.dmp

Download
memory/724-128-0x0000000000850000-0x000000000099A000-memory.dmp

Filesize
1.3MB

Download
memory/792-115-0x0000000000000000-mapping.dmp

Download
memory/1356-117-0x0000000000000000-mapping.dmp

Download
memory/3204-118-0x0000000000000000-mapping.dmp

Download
memory/3948-119-0x0000000000000000-mapping.dmp

Download
memory/3948-124-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing