387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd

Analysis

max time kernel
124s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Size

98KB
MD5

20edbffc5a44d4e49befdba7765ba3b7
SHA1

bea9d3a71fd6e9aa8c12535ce90487fd6f4382a0
SHA256

387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd
SHA512

16e0629dda46b6ef077007ad701e03a97fcb31301b4c6af9261ca2b926abfa443d9ebcac55456b0b28bbb62537b1754f5b976eda9efcd062b601b14211f12041
SSDEEP

1536:YrSR9ieUOc+/RAhDcktPLXbbxAyQIrZBQlgSJ0TWS3:GSR8Y6hD7AyQIrZBbSJK3

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = fe00310000000000000000001700333837643563646233316532656162353965356133623539623032633638633433333035343434316362313631303734383730313336656132633730653864640000ae0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000003300380037006400350063006400620033003100650032006500610062003500390065003500610033006200350039006200300032006300360038006300340033003300300035003400340034003100630062003100360031003000370034003800370030003100330036006500610032006300370030006500380064006400000050000000	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000100054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe

C:\Users\Admin\AppData\Local\Temp\387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe
"C:\Users\Admin\AppData\Local\Temp\387d5cdb31e2eab59e5a3b59b02c68c433054441cb161074870136ea2c70e8dd.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies registry class
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1368-55-0x0000000073761000-0x0000000073763000-memory.dmp

Filesize
8KB

Download
memory/1368-56-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads