Overview
overview
10Static
static
5Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10cracked dl...ib.dll
windows7-x64
1cracked dl...ib.dll
windows10-2004-x64
3dll data/BRD.dll
windows7-x64
5dll data/BRD.dll
windows10-2004-x64
5dll data/D...es.dll
windows7-x64
5dll data/D...es.dll
windows10-2004-x64
5resources/PIM.dll
windows7-x64
3resources/PIM.dll
windows10-2004-x64
3resources/...ry.dll
windows7-x64
3resources/...ry.dll
windows10-2004-x64
3Analysis
-
max time kernel
15s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
cracked dll/amtlib.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
cracked dll/amtlib.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
dll data/BRD.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
dll data/BRD.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
dll data/DTCommonRes.dll
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
dll data/DTCommonRes.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
resources/PIM.dll
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
resources/PIM.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
resources/updaterinventory.dll
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
resources/updaterinventory.dll
Resource
win10v2004-20220812-en
General
-
Target
Setup.exe
-
Size
21.0MB
-
MD5
8d2c812110771a601b50c35fc8566deb
-
SHA1
93d2c215490b9abc362e17a4bab459675828b9e4
-
SHA256
29dac6dc31f1359a11ebc13f86797b40f8d0c98f5f5a044541479926b37391f2
-
SHA512
2549842a0ed61d71e91e9e46e0ef7b2b629a059dd72c969a2a5236dd164c457bfb012efc410a41d5c88c1424d7205096fbba55f67826ae8884462b25f20177c0
-
SSDEEP
12288:LaWzgMg7v3qnCiMErQohh0F4CCJ8lny/QySARMgp77:+aHMv6Corjqny/QyxKe7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winx86.exepid process 4864 winx86.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winx86.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce winx86.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation OBZWEOSeYTXNCIIi = "C:\\Users\\Admin\\AppData\\Roaming\\OBZWEOSeYTXNCIIi.exe" winx86.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\winx86.exe autoit_exe C:\Users\Admin\AppData\Roaming\winx86.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winx86.exedescription pid process target process PID 4864 set thread context of 1320 4864 winx86.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 4 IoCs
Processes:
Setup.exewinx86.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\winx86.exe:Zone.Identifier:$DATA Setup.exe File created C:\Users\Admin\AppData\Roaming\OBZWEOSeYTXNCIIi.exe\:Zone.Identifier:$DATA winx86.exe File opened for modification C:\Users\Admin\AppData\Roaming\winx86.exe:Zone.Identifier:$DATA winx86.exe File opened for modification C:\Users\Admin\AppData\Roaming\OBZWEOSeYTXNCIIi.exe:Zone.Identifier:$DATA winx86.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
winx86.exepid process 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe 4864 winx86.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Setup.exewinx86.exedescription pid process target process PID 780 wrote to memory of 4864 780 Setup.exe winx86.exe PID 780 wrote to memory of 4864 780 Setup.exe winx86.exe PID 780 wrote to memory of 4864 780 Setup.exe winx86.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe PID 4864 wrote to memory of 1320 4864 winx86.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winx86.exeC:\Users\Admin\AppData\Roaming\winx86.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OBZWEOSeYTXNFilesize
217KB
MD5ed8c4ab837c35cda702208adcfae397f
SHA1f1c6368f8272d42d8a64685d5075e68ae6d672d9
SHA25650f12c6d39af77b5567226341c5266430981ee4c2fa173abca1ec45573350448
SHA512e8ce61cf03221ac6d34d7c116419a8a095c17396ad9e021d395ee07cd7489b649a666fccc526e8aaeca4c59cb4e7ffedd7e9cf59f6f7ede039bf1b42a3adf219
-
C:\Users\Admin\AppData\Roaming\winx86.exeFilesize
21.0MB
MD58d2c812110771a601b50c35fc8566deb
SHA193d2c215490b9abc362e17a4bab459675828b9e4
SHA25629dac6dc31f1359a11ebc13f86797b40f8d0c98f5f5a044541479926b37391f2
SHA5122549842a0ed61d71e91e9e46e0ef7b2b629a059dd72c969a2a5236dd164c457bfb012efc410a41d5c88c1424d7205096fbba55f67826ae8884462b25f20177c0
-
C:\Users\Admin\AppData\Roaming\winx86.exeFilesize
21.0MB
MD58d2c812110771a601b50c35fc8566deb
SHA193d2c215490b9abc362e17a4bab459675828b9e4
SHA25629dac6dc31f1359a11ebc13f86797b40f8d0c98f5f5a044541479926b37391f2
SHA5122549842a0ed61d71e91e9e46e0ef7b2b629a059dd72c969a2a5236dd164c457bfb012efc410a41d5c88c1424d7205096fbba55f67826ae8884462b25f20177c0
-
memory/1320-136-0x0000000000000000-mapping.dmp
-
memory/1320-137-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4864-132-0x0000000000000000-mapping.dmp