6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59

Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

max time kernel
118s
max time network
154s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer/Wed09d27135e5a8b3b.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Wed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.tmppostback.exe

pid process

2276 Wed09d27135e5a8b3b.tmp
1632 Wed09d27135e5a8b3b.tmp
4652 postback.exe
Loads dropped DLL 2 IoCs

Processes:

Wed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.tmp

pid process

2276 Wed09d27135e5a8b3b.tmp
1632 Wed09d27135e5a8b3b.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2276	Wed09d27135e5a8b3b.tmp
1632	Wed09d27135e5a8b3b.tmp
4652	postback.exe

pid	process
2276	Wed09d27135e5a8b3b.tmp
1632	Wed09d27135e5a8b3b.tmp

Drops file in Program Files directory 3 IoCs

Processes:

Wed09d27135e5a8b3b.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed09d27135e5a8b3b.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-K0DD2.tmp	Wed09d27135e5a8b3b.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Wed09d27135e5a8b3b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Wed09d27135e5a8b3b.tmp

pid process

1632 Wed09d27135e5a8b3b.tmp
1632 Wed09d27135e5a8b3b.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Wed09d27135e5a8b3b.tmp

pid process

1632 Wed09d27135e5a8b3b.tmp

pid	process
1632	Wed09d27135e5a8b3b.tmp
1632	Wed09d27135e5a8b3b.tmp

pid	process
1632	Wed09d27135e5a8b3b.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmp

description	pid	process	target process
PID 1840 wrote to memory of 2276	1840	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1840 wrote to memory of 2276	1840	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1840 wrote to memory of 2276	1840	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2276 wrote to memory of 4436	2276	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2276 wrote to memory of 4436	2276	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2276 wrote to memory of 4436	2276	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 4436 wrote to memory of 1632	4436	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 4436 wrote to memory of 1632	4436	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 4436 wrote to memory of 1632	4436	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1632 wrote to memory of 4652	1632	Wed09d27135e5a8b3b.tmp	postback.exe
PID 1632 wrote to memory of 4652	1632	Wed09d27135e5a8b3b.tmp	postback.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\is-MS28I.tmp\Wed09d27135e5a8b3b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MS28I.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$3013A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\is-4HBTB.tmp\Wed09d27135e5a8b3b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4HBTB.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$7005C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\is-S7CJA.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-S7CJA.tmp\postback.exe" ss1
5⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4HBTB.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HBTB.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MS28I.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MS28I.tmp\Wed09d27135e5a8b3b.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S7CJA.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S7CJA.tmp\postback.exe
MD5
b3bb91ad96f2d4c041861ce59ba6ac73

SHA1
e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3

SHA256
0581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426

SHA512
e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-DGMF2.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-S7CJA.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
memory/1632-127-0x0000000000000000-mapping.dmp

Download
memory/1632-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1840-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-123-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2276-120-0x0000000000000000-mapping.dmp

Download
memory/4436-125-0x0000000000000000-mapping.dmp

Download
memory/4436-130-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4652-133-0x0000000000000000-mapping.dmp

Download