aabe7544db1fafb380e21cc2d80c09b06c8d6b153d9badedeb5622add0d1cd97

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-10-2021 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bat-To-Exe-Converter-Downloader-master/Windows/downloader-x64.exe
Size

144KB
MD5

3fb68cba82af1b38920517e571f63615
SHA1

2abc67be4363069e8aeab8f48be983c13254585e
SHA256

a70d406ec7e67dbd65f97c6b109583071e09b81f1ef9ef97e2a1c21a00801207
SHA512

b0d884439ff916297ccbbeb7ddf892fbbe242e853193bd7f857988d8e5ae6dc0156ffe6a8771ac0b90e40c9403191ca5f8179802a4104dfc2635ebd58ebef4cb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 31 IoCs

Processes:

downloader-x64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000003453756b10204c6f63616c00380008000400efbe3453e0683453756b2a000000ff0100000000020000000000000000000000000000004c006f00630061006c00000014000000	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 52003100000000005953ed41102057696e646f7773003c0008000400efbe5953ed415953ed412a0000004a220100000006000000000000000000000000000000570069006e0064006f0077007300000016000000	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000003453e068122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe3453e0683453e0682a000000ec0100000000020000000000000000000000000000004100700070004400610074006100000042000000	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 92003100000000005953ed4110204241542d544f7e3100007a0008000400efbe5953ed415953ed412a000000162201000000060000000000000000000000000000004200610074002d0054006f002d004500780065002d0043006f006e007600650072007400650072002d0044006f0077006e006c006f0061006400650072002d006d0061007300740065007200000018000000	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000005953ed41102054656d700000360008000400efbe3453e0685953ed412a00000000020000000002000000000000000000000000000000540065006d007000000014000000	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	downloader-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	downloader-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	downloader-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	downloader-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	downloader-x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

downloader-x64.exe

pid process

1328 downloader-x64.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

downloader-x64.exe

pid process

1328 downloader-x64.exe

pid	process
1328	downloader-x64.exe

pid	process
1328	downloader-x64.exe

C:\Users\Admin\AppData\Local\Temp\Bat-To-Exe-Converter-Downloader-master\Windows\downloader-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Bat-To-Exe-Converter-Downloader-master\Windows\downloader-x64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download
memory/1328-55-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download