Analysis
-
max time kernel
129s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
19-10-2022 16:03
General
-
Target
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe
-
Size
74KB
-
MD5
90f1387a390e2cc443a1df898f863f90
-
SHA1
e225943018d86801be6a62483b7c55d33ef0428d
-
SHA256
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9
-
SHA512
f898a756da01379718c635cf3333344bdf3beeb7bb370eea6f7583bf08dfdaaf33f59a9e9f7e1b6f7bce8e7017124774c84a12a19ab1edd7be945a741d38be46
-
SSDEEP
1536:cpeGYbmuaka3H0/sVJsyBgiXYuieehkp2KdNlpQquU+u:1bmSaasrjBT0Kcbu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 14 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe"C:\Users\Admin\AppData\Local\Temp\589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\FreeRapid\loader.tmp"C:\Program Files\FreeRapid\loader.tmp"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\apeflacmp3.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:25⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Progra~1\FreeRapid\1.bin,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlF192.tmpC:\Users\Admin\AppData\Local\Temp\inlF192.tmp2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\589BC9~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d6ad3ea7acbeea6fad7d1991f40e2f97
SHA11a165c03f5c95792c9a95fcf5b19c3a439fd36ea
SHA256e21abd16063ea41e1983a5be729daa6b733ca4ad0110654c1aaba1e93568febc
SHA512e94850301a0efcdbd2d1a73f26c86c65c5854ef32a336d8be01edf5e97a3d7dc98ed35e11677c25e90cd7d21a1c49cfe8db9cebd526070c8b970eb450f91d7e0
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
12.3MB
MD576dbf105676ba1689ddc7a9b623d49b5
SHA10a95a39a52356be35e08737c3a30777bbda747d8
SHA256f71f85efbf2eef23126b7c8c32f812f1f4da18071ee6b3f32eae622abe675d30
SHA5121552ba849aea00acc607c39dc5b61469b66cae9e4f07dd2b7cff95c46e8847076013b6ee47f8ee920f30fed993595f84ee9efdccb1a7e61665ab8ec7299a828a
-
Filesize
105.6MB
MD5d4123af23959d79b66185a2af36190c7
SHA18090829531e34c842212ab3165666fd4c500319b
SHA256e8d621eb70e14c5e53c7ca81023feaedfae2918a80ce80d4685880c4e953a194
SHA5125f7299a28251cd19c20c09f1fed781432ec1ee993d2f28c2850920e836f7813200052e768a886f7578f1be6c35bae0e20231755999cd551cbce02942482e68ac
-
Filesize
32.0MB
MD5aa8cbdd2c615e1c73439af74ba8e5219
SHA1a7810ae9f1d8dd1210bff972cd3a6803d1f5bef7
SHA256ac146e8876e2cdb89d2d110f263dc126b961a6254af0fe00cfa084a1c133d382
SHA51288a3d7fe087defcae6640b37879ab6a10459cfa763314e4fd7b539e5fd5a069d92df5e46dd74761911fa07182e425236934405b8830745cee486eb2f6dbe83e0
-
Filesize
2KB
MD5be9c2a6c4473d5ff3130700864019244
SHA1bd964f122e7715e3fce78dcbbc2118cc85f42053
SHA2568f07137e93b92f7942caa3cca96b3c66d390aa8aaf9bc112d3b132948c61c5bd
SHA512b4810796fad38757315c6d21b03f7cc13777fc928d32f0222208f460f7a515d626837d460dbcd2c0959f1ba383f60a395724325cd7a8d0b8c53538a0a4b16cbc
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd
-
Filesize
8.2MB
MD58b6db636c6225bdac7a61fadc700b563
SHA10f826eb343587eb0474dd53d3282fa493fd9f89a
SHA256e99f6122a4d4b8013d4462c44f656426c66479c0330cbe78a22e24d937ca234d
SHA51209cdb7ae4e3e68ff72e6a0a6024b3228fcdfd4ee7c6379f9efcc90a14aa0eefd686a207a1303ac937712aae4107ca946aa1faaa8926b46d967d9eddd27cdafad
-
Filesize
631B
MD50b92bb1f3b9141d221dfedfcc5a59527
SHA18d0a11d39776442b53436490284dc460137d3e7a
SHA2565ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99
SHA512e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205
-
Filesize
33.9MB
MD55dd5e6a98285683402115f8045f9cf70
SHA12aaac8a7dd71b5aa3c0104d6ad33ab9359e5a3d1
SHA256dc6fbb2a56e847a8b5133c9cb01e0b21fb01b32e5dfe4f6ce9e5d3c55aaed8ad
SHA512d402f772e9bc1e6877ac42f85c9cff85d4f70bbf9beca8528161ff24921343503f9dd1e794cca1e9bf6c9d428cabac9a62fd1f16915cbfb68764918070b6da90
-
Filesize
108.2MB
MD5169239b020443474ca749f441b647cae
SHA1fb29ca80bb5941d0087cfe8c43452ba15f299979
SHA256801fd0a39dd3d6ca68a9141b62e7387ad383b9f2a8ba8f45ceeaa21f85739bc9
SHA51282630b4abdaa9ecb3b7c9390cde830cfdbc4a10a235b7fa15a8006bd99322f8b796686619a539cf30b636bd702956d5255f47203a6429f9cf7c903160574320c
-
Filesize
104.1MB
MD503f14fc98dcb8d98e18dec610394e81d
SHA132632e79cbd0f4162e4469cc923f016e8f0267dd
SHA2566866df9c1709604de7f32b5d35ed52dc82ad6574217bd44f8b12ae31ef8abf1b
SHA5121b1f6befe3ea918170538f4a58e6b0c86a3b874554ff5e2848825d2aa2dc5c755f946ed689270ae42b566dcaaffbd4c9394b56de298b9dce368203cbcdf2713f
-
Filesize
8.1MB
MD54c4e76ac1e95d88b52e1a66788ade2c3
SHA1dcbc84a4ff9e4b4fa88d6dc5407151d3ea7e152e
SHA256243c5fe581ee76ee76cd9b343c566144805e34bbeca8a45c2a6acac86acfe209
SHA5126550af4fbc79d66e5ed35fce20db553181df0b0ed43b560c633e7f7beb5bf0d2d76cd9a06aa1e7232d7deca748fd2a279f25c5db674c6a44396353398f8d5411
-
Filesize
8.2MB
MD5d635cb1d32341ac8dfcdebcaefedd6d9
SHA15b5f6cd0c89932f25e43b2720eeda0f7d3b1eb0a
SHA2567e565012a5b7b2bc46ecd16d4f9289ad9fc3c68923eebc965f085186d6e79810
SHA5120f2efb69a6079cda573bc3bdfb5c69b2179d52cec1e6ea3699f56de96433924db10b980cfcec234fa233e8005e33ccac29768a22bd26e8727d9d0e53e84ecaf8
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
40KB
-
Filesize
36KB