506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b

Analysis

max time kernel
1800s
max time network
1564s
platform
windows7_x64
resource
win7-ja-20211014
submitted
22-10-2021 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri05eeb2dae7b88520a.exe
Size

379KB
MD5

9b07fc470646ce890bcb860a5fb55f13
SHA1

ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256

506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512

4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Fri05eeb2dae7b88520a.tmpFri05eeb2dae7b88520a.tmppostback.exe

pid process

788 Fri05eeb2dae7b88520a.tmp
1788 Fri05eeb2dae7b88520a.tmp
844 postback.exe
1420

pid	process
788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp
844	postback.exe
1420

Loads dropped DLL 11 IoCs

Processes:

Fri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.tmpFri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.tmp

pid	process
1376	Fri05eeb2dae7b88520a.exe
788	Fri05eeb2dae7b88520a.tmp
788	Fri05eeb2dae7b88520a.tmp
788	Fri05eeb2dae7b88520a.tmp
952	Fri05eeb2dae7b88520a.exe
1788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp
1420

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

Fri05eeb2dae7b88520a.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\is-KMUVT.tmp	Fri05eeb2dae7b88520a.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Fri05eeb2dae7b88520a.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Fri05eeb2dae7b88520a.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Fri05eeb2dae7b88520a.tmp

pid process

1788 Fri05eeb2dae7b88520a.tmp
1788 Fri05eeb2dae7b88520a.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Fri05eeb2dae7b88520a.tmp

pid process

1788 Fri05eeb2dae7b88520a.tmp

pid	process
1788	Fri05eeb2dae7b88520a.tmp
1788	Fri05eeb2dae7b88520a.tmp

pid	process
1788	Fri05eeb2dae7b88520a.tmp

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Fri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.tmpFri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.tmptaskeng.exetaskeng.exe

description	pid	process	target process
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1376 wrote to memory of 788	1376	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 788 wrote to memory of 952	788	Fri05eeb2dae7b88520a.tmp	Fri05eeb2dae7b88520a.exe
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 952 wrote to memory of 1788	952	Fri05eeb2dae7b88520a.exe	Fri05eeb2dae7b88520a.tmp
PID 1788 wrote to memory of 844	1788	Fri05eeb2dae7b88520a.tmp	postback.exe
PID 1788 wrote to memory of 844	1788	Fri05eeb2dae7b88520a.tmp	postback.exe
PID 1788 wrote to memory of 844	1788	Fri05eeb2dae7b88520a.tmp	postback.exe
PID 1788 wrote to memory of 844	1788	Fri05eeb2dae7b88520a.tmp	postback.exe
PID 1344 wrote to memory of 1908	1344	taskeng.exe	default-browser-agent.exe
PID 1344 wrote to memory of 1908	1344	taskeng.exe	default-browser-agent.exe
PID 1344 wrote to memory of 1908	1344	taskeng.exe	default-browser-agent.exe
PID 1592 wrote to memory of 672	1592	taskeng.exe	default-browser-agent.exe
PID 1592 wrote to memory of 672	1592	taskeng.exe	default-browser-agent.exe
PID 1592 wrote to memory of 672	1592	taskeng.exe	default-browser-agent.exe

C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe
"C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\is-1T92D.tmp\Fri05eeb2dae7b88520a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1T92D.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$30158,140785,56832,C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe
"C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe" /SILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\is-O1B06.tmp\Fri05eeb2dae7b88520a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O1B06.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$40158,140785,56832,C:\Users\Admin\AppData\Local\Temp\Fri05eeb2dae7b88520a.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe" ss1
5⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\taskeng.exe
taskeng.exe {C2FC7496-459E-4E2E-944D-739118542442} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1908

C:\Windows\system32\taskeng.exe
taskeng.exe {1DAB8458-7652-4E02-916D-F990BD0A2B04} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1428

C:\Windows\system32\taskeng.exe
taskeng.exe {A2A9A5B6-F00C-4568-B5BB-1DEC953A7727} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1T92D.tmp\Fri05eeb2dae7b88520a.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O1B06.tmp\Fri05eeb2dae7b88520a.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O1B06.tmp\Fri05eeb2dae7b88520a.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-1T92D.tmp\Fri05eeb2dae7b88520a.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-5EA3D.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5EA3D.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5EA3D.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-IUB6U.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-O1B06.tmp\Fri05eeb2dae7b88520a.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/672-87-0x0000000000000000-mapping.dmp

Download
memory/788-65-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/788-58-0x0000000000000000-mapping.dmp

Download
memory/844-83-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/844-81-0x0000000000000000-mapping.dmp

Download
memory/952-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/952-66-0x0000000000000000-mapping.dmp

Download
memory/1376-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1376-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1788-70-0x0000000000000000-mapping.dmp

Download
memory/1788-77-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1908-86-0x0000000000000000-mapping.dmp

Download