Overview
overview
10Static
static
10setup_inst...32.exe
windows7_x64
10setup_inst...32.exe
windows10_x64
10setup_inst...2b.exe
windows7_x64
8setup_inst...2b.exe
windows10_x64
8setup_inst...61.exe
windows7_x64
10setup_inst...61.exe
windows10_x64
10setup_inst...f8.exe
windows7_x64
10setup_inst...f8.exe
windows10_x64
10setup_inst...34.exe
windows7_x64
10setup_inst...34.exe
windows10_x64
10setup_inst...c2.exe
windows7_x64
3setup_inst...c2.exe
windows10_x64
10setup_inst...cb.exe
windows7_x64
10setup_inst...cb.exe
windows10_x64
10setup_inst...90.exe
windows7_x64
10setup_inst...90.exe
windows10_x64
10setup_inst...79.exe
windows7_x64
6setup_inst...79.exe
windows10_x64
6setup_inst...d8.exe
windows7_x64
7setup_inst...d8.exe
windows10_x64
3setup_inst...3b.exe
windows7_x64
8setup_inst...3b.exe
windows10_x64
8setup_inst...ac.exe
windows7_x64
10setup_inst...ac.exe
windows10_x64
10setup_inst...38.exe
windows7_x64
10setup_inst...38.exe
windows10_x64
10setup_inst...b5.exe
windows7_x64
10setup_inst...b5.exe
windows10_x64
10setup_inst...b2.exe
windows7_x64
7setup_inst...b2.exe
windows10_x64
7setup_inst...rl.dll
windows7_x64
3setup_inst...rl.dll
windows10_x64
3Analysis
-
max time kernel
53s -
max time network
81s -
submitted
01-01-1970 00:00
Behavioral task
behavioral1
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
setup_installer/Wed0901eb1dae126e32.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
setup_installer/Wed094c47c32b.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
setup_installer/Wed094c47c32b.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
setup_installer/Wed096a1bff61.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
setup_installer/Wed096a1bff61.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
setup_installer/Wed0971f17486f8.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
setup_installer/Wed09977fdc12334.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
setup_installer/Wed09abf83d9c2.exe
Resource
win10-en-20210920
Behavioral task
behavioral13
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
setup_installer/Wed09b2a8bc4f16cb.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
setup_installer/Wed09b3a5ca1a712d390.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
setup_installer/Wed09c42cad92c20f79.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
setup_installer/Wed09cfb2f9758281d8.exe
Resource
win10-en-20210920
Behavioral task
behavioral21
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
setup_installer/Wed09d27135e5a8b3b.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
setup_installer/Wed09d8d6edfaff2ac.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
setup_installer/Wed09db0d52c38.exe
Resource
win10-en-20210920
Behavioral task
behavioral27
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win7-en-20211014
Behavioral task
behavioral28
Sample
setup_installer/Wed09e95ff6b5.exe
Resource
win10-en-20210920
Behavioral task
behavioral29
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win7-en-20211014
Behavioral task
behavioral30
Sample
setup_installer/Wed09f257bb7877d00b2.exe
Resource
win10-en-20210920
Behavioral task
behavioral31
Sample
setup_installer/libcurl.dll
Resource
win7-en-20211014
Behavioral task
behavioral32
Sample
setup_installer/libcurl.dll
Resource
win10-en-20210920
General
-
Target
setup_installer/Wed09d27135e5a8b3b.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
Wed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.tmppostback.exepid process 1776 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp 272 postback.exe 1216 -
Loads dropped DLL 10 IoCs
Processes:
Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmppid process 1772 Wed09d27135e5a8b3b.exe 1776 Wed09d27135e5a8b3b.tmp 1776 Wed09d27135e5a8b3b.tmp 1776 Wed09d27135e5a8b3b.tmp 1748 Wed09d27135e5a8b3b.exe 1308 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
Wed09d27135e5a8b3b.tmpdescription ioc process File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed09d27135e5a8b3b.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-6HP8E.tmp Wed09d27135e5a8b3b.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed09d27135e5a8b3b.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Wed09d27135e5a8b3b.tmppid process 1308 Wed09d27135e5a8b3b.tmp 1308 Wed09d27135e5a8b3b.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Wed09d27135e5a8b3b.tmppid process 1308 Wed09d27135e5a8b3b.tmp -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpdescription pid process target process PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1772 wrote to memory of 1776 1772 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1776 wrote to memory of 1748 1776 Wed09d27135e5a8b3b.tmp Wed09d27135e5a8b3b.exe PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1748 wrote to memory of 1308 1748 Wed09d27135e5a8b3b.exe Wed09d27135e5a8b3b.tmp PID 1308 wrote to memory of 272 1308 Wed09d27135e5a8b3b.tmp postback.exe PID 1308 wrote to memory of 272 1308 Wed09d27135e5a8b3b.tmp postback.exe PID 1308 wrote to memory of 272 1308 Wed09d27135e5a8b3b.tmp postback.exe PID 1308 wrote to memory of 272 1308 Wed09d27135e5a8b3b.tmp postback.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TK0FJ.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-TK0FJ.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$40102,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-H064L.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-H064L.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$50102,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exe" ss15⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-H064L.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-H064L.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
C:\Users\Admin\AppData\Local\Temp\is-TK0FJ.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
\Users\Admin\AppData\Local\Temp\is-H064L.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-LUGTU.tmp\postback.exeMD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
\Users\Admin\AppData\Local\Temp\is-R8G74.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-R8G74.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-R8G74.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-TK0FJ.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
memory/272-81-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/272-79-0x0000000000000000-mapping.dmp
-
memory/1308-68-0x0000000000000000-mapping.dmp
-
memory/1308-75-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1748-74-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1748-64-0x0000000000000000-mapping.dmp
-
memory/1772-53-0x0000000075331000-0x0000000075333000-memory.dmpFilesize
8KB
-
memory/1772-61-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1776-56-0x0000000000000000-mapping.dmp
-
memory/1776-62-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB