0550f2340aef367ce3021cc9656f4665100189ad8ae2d88ae27947bb5cfc7256

General

Target

8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe
Size

45.2MB
MD5

b750e349310b228391cedfe3a8175917
SHA1

dfc261882f6b6eed606ba9a3d56a9b96816fc794
SHA256

8a455638b0e2e9b8d663e96a7d2316ec0e896240aa5f84c318e191de123d09f4
SHA512

11051ea63031688cf9cbe9a66354fe8b4285c94847b2eaedfecf68d0352dbdced87967748ba8baf65f3f3fd31fd05c4693748038cd0bb3b16681f7c92d44496f

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

setup.exesetup.tmp

pid process

4624 setup.exe
3196 setup.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4624	setup.exe
3196	setup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

setup.tmpxcopy.exexcopy.exe

description	ioc	process
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-KHPDH.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-FF7FF.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-G7MGV.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-119J2.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storelib.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-PO7KK.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-579AO.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-H30TP.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-U47GJ.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-DATVE.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-7IAFI.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-6MSI5.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-A8IS5.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-ERSS7.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storelibir.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-0TBQ9.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-UN779.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_mondiag.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-LVLON.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-I6TA8.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_diskbench.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-SD220.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-HTJ1P.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-5EUT9.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_bench32.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-UR624.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-14GRG.tmp	setup.tmp
File created	C:\Program Files\FinalWire\AIDA64 Business\pkey.txt	xcopy.exe
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\afaapi.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-UOL9A.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-FT096.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-KHQKK.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-38OE8.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-ALO22.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_arc.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-8HH8J.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons10.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-V1P41.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-8BAOF.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-LD7BH.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-79QS5.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-36C31.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-F74N2.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-GDS85.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-V3GHP.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-FS1U2.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-M7SQP.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-M7LJQ.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-TG5OP.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-H8K7C.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-B0VA5.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\pkey.txt	xcopy.exe
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\ssleay32.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-PKFHP.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida64.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\aida_icons2k.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\SQL_Schema\is-QG11G.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-TLRAB.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-T00EB.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\Language\is-6UEOS.tmp	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-R7FV0.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FinalWire\AIDA64 Business\storelibir-2.dll	setup.tmp
File created	C:\Program Files (x86)\FinalWire\AIDA64 Business\is-6SSGD.tmp	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4644 timeout.exe

pid	process
4644	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

setup.tmp

pid process

3196 setup.tmp
3196 setup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.tmp

pid process

3196 setup.tmp

pid	process
3196	setup.tmp
3196	setup.tmp

pid	process
3196	setup.tmp

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.execmd.exesetup.exe

description	pid	process	target process
PID 2324 wrote to memory of 4464	2324	8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe	cmd.exe
PID 2324 wrote to memory of 4464	2324	8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe	cmd.exe
PID 2324 wrote to memory of 4464	2324	8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe	cmd.exe
PID 4464 wrote to memory of 4568	4464	cmd.exe	mode.com
PID 4464 wrote to memory of 4568	4464	cmd.exe	mode.com
PID 4464 wrote to memory of 4568	4464	cmd.exe	mode.com
PID 4464 wrote to memory of 4644	4464	cmd.exe	timeout.exe
PID 4464 wrote to memory of 4644	4464	cmd.exe	timeout.exe
PID 4464 wrote to memory of 4644	4464	cmd.exe	timeout.exe
PID 4464 wrote to memory of 4624	4464	cmd.exe	setup.exe
PID 4464 wrote to memory of 4624	4464	cmd.exe	setup.exe
PID 4464 wrote to memory of 4624	4464	cmd.exe	setup.exe
PID 4624 wrote to memory of 3196	4624	setup.exe	setup.tmp
PID 4624 wrote to memory of 3196	4624	setup.exe	setup.tmp
PID 4624 wrote to memory of 3196	4624	setup.exe	setup.tmp
PID 4464 wrote to memory of 512	4464	cmd.exe	xcopy.exe
PID 4464 wrote to memory of 512	4464	cmd.exe	xcopy.exe
PID 4464 wrote to memory of 512	4464	cmd.exe	xcopy.exe
PID 4464 wrote to memory of 420	4464	cmd.exe	xcopy.exe
PID 4464 wrote to memory of 420	4464	cmd.exe	xcopy.exe
PID 4464 wrote to memory of 420	4464	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe
"C:\Users\Admin\AppData\Local\Temp\8A455638B0E2E9B8D663E96A7D2316EC0E896240AA5F84C318E191DE123D09F4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\mode.com
mode 132,36
3⤵
PID:4568

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4644

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\is-TT29C.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TT29C.tmp\setup.tmp" /SL5="$60032,83901318,831488,C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3196

C:\Windows\SysWOW64\xcopy.exe
"xcopy.exe" "Vinny27\pkey.txt" "C:\Program Files (x86)\FinalWire\AIDA64 Business\" /s /i /r /v /k /f /c /h /y
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:512

C:\Windows\SysWOW64\xcopy.exe
"xcopy.exe" "Vinny27\pkey.txt" "C:\Program Files\FinalWire\AIDA64 Business\" /s /i /r /v /k /f /c /h /y
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27.cmd
MD5
26d0659808c34b8fc8e54e5d39db57e5

SHA1
4fa0cf9629f56577a54de3994bb79b6545d8f2a0

SHA256
8154d98a842ad28ada5731d6d147645adcfec434fc4754aa0a5a9f3d4a131b01

SHA512
bbfc60270e47f1cb77fa4b2e088caf773026678186bbe2ddf6898f71335d65eda6da522b6be94ff5acbca59914390baa74d25963b705eae86aaabc654cd26776

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vinny27\pkey.txt
MD5
738b75560f21128d58608ed6a7820e3c

SHA1
8159b21ca357f3e9d84a1efee8e57ea0472ea229

SHA256
ee5bc53d6214ee6e86a84e8eb79c9265665bc0eaa486ddbbf3868ccee91fbb49

SHA512
aaf01745545a807297ac32290510961d368ad650acda69805560d6fcdbd4fe9a87e0ede71dd48eba644c5dddc1ec0e1718dc87000f280bf662ab69c904e50930

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
MD5
1d0116582c0c0c97162b8e2df022a01a

SHA1
3ac232321ede6c0be10075562c2c2d7ccea7348a

SHA256
54aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee

SHA512
b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
MD5
1d0116582c0c0c97162b8e2df022a01a

SHA1
3ac232321ede6c0be10075562c2c2d7ccea7348a

SHA256
54aa96dc51a85bf16db4b42ce3f2133511dcc9bb912c72ee2ca9ba049ebe94ee

SHA512
b73c71b199d79f3175f3fe16d1c74a0e3638e5887ebc1a3827c91fd814ff4317afcb3d8602a3aae2989fb1588f6f7cb52f944e4faadb9bf276bbdd7d94683705

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TT29C.tmp\setup.tmp
MD5
dd4ab9a411613c117256eaff11d8bb36

SHA1
c80752721462dbca7b6d10b96be020a73346887d

SHA256
a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e

SHA512
f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TT29C.tmp\setup.tmp
MD5
dd4ab9a411613c117256eaff11d8bb36

SHA1
c80752721462dbca7b6d10b96be020a73346887d

SHA256
a6ab1b5bc86f2ef64970ba745e42883ab6379f1590daf8a366334ee0eb112f8e

SHA512
f203ac48aac1552581770ff22e50503c21253a36f0d16c08583280c3f3a1a81b828360897611a487fdd6b6019b2a25220e979093012860ef7747512e7193d48f

Download Submit
memory/420-131-0x0000000000000000-mapping.dmp

Download
memory/512-129-0x0000000000000000-mapping.dmp

Download
memory/3196-125-0x0000000000000000-mapping.dmp

Download
memory/3196-128-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4464-115-0x0000000000000000-mapping.dmp

Download
memory/4568-117-0x0000000000000000-mapping.dmp

Download
memory/4624-119-0x0000000000000000-mapping.dmp

Download
memory/4624-124-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4644-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads