Overview

overview

8

Static

static

2bfb8335b0...45.exe

windows7-x64

8

2bfb8335b0...45.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    153s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bfb8335b0c4155371b1562571fe69df15a68473ac0b8867b087f5f8132d9f45.exe

  • Size

    3.8MB

  • MD5

    5b9f947ba67e1f33fcf4b0ea8a078f96

  • SHA1

    d09125c8de526a4522b6337051842e5c95baf3f8

  • SHA256

    2bfb8335b0c4155371b1562571fe69df15a68473ac0b8867b087f5f8132d9f45

  • SHA512

    1219ec2ed50b25ae4bd4bf22235cce9810827503d80b115b31869038d8e54503d841ccc5d1003d4cc6f9725a677d14218e61697a3cd6514c37a21c0933e23fc5

  • SSDEEP

    98304:1JdA3vl951KgWYBGn3YXUC9YMvFbzbrYC0Xi/71NW:Cj51KmU3Y9+MFzbrK471s

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bfb8335b0c4155371b1562571fe69df15a68473ac0b8867b087f5f8132d9f45.exe
    "C:\Users\Admin\AppData\Local\Temp\2bfb8335b0c4155371b1562571fe69df15a68473ac0b8867b087f5f8132d9f45.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe
      "C:\Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe" -p"08:02 PM" -y -o"C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012"
      2⤵
      • Executes dropped EXE
      PID:2036
    • C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
      "C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
      2⤵
        PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012"
        2⤵
          PID:1716

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe
        Filesize

        2.5MB

        MD5

        8921d5379a613429d797ae362bb9138f

        SHA1

        f405d2608b0bbd6c86006984ad1d2c0b328d967b

        SHA256

        dfc438b97c71fd8eb55cbf6ff9f35255b25a11a0a0b595569e853116abcaa190

        SHA512

        9beda713b005f77c168e23527d4746cddfcc3c38bd4382c6ed8ed72620bd835d354f1677b393173a76243c0b811ae34c77aa4797cf8f9e08bf499eef1babd43c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe
        Filesize

        2.5MB

        MD5

        8921d5379a613429d797ae362bb9138f

        SHA1

        f405d2608b0bbd6c86006984ad1d2c0b328d967b

        SHA256

        dfc438b97c71fd8eb55cbf6ff9f35255b25a11a0a0b595569e853116abcaa190

        SHA512

        9beda713b005f77c168e23527d4746cddfcc3c38bd4382c6ed8ed72620bd835d354f1677b393173a76243c0b811ae34c77aa4797cf8f9e08bf499eef1babd43c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe
        Filesize

        2.5MB

        MD5

        8921d5379a613429d797ae362bb9138f

        SHA1

        f405d2608b0bbd6c86006984ad1d2c0b328d967b

        SHA256

        dfc438b97c71fd8eb55cbf6ff9f35255b25a11a0a0b595569e853116abcaa190

        SHA512

        9beda713b005f77c168e23527d4746cddfcc3c38bd4382c6ed8ed72620bd835d354f1677b393173a76243c0b811ae34c77aa4797cf8f9e08bf499eef1babd43c

        Download Submit
      • \Users\Admin\AppData\Local\Temp\_4D85.tmpac7d.exe
        Filesize

        2.5MB

        MD5

        8921d5379a613429d797ae362bb9138f

        SHA1

        f405d2608b0bbd6c86006984ad1d2c0b328d967b

        SHA256

        dfc438b97c71fd8eb55cbf6ff9f35255b25a11a0a0b595569e853116abcaa190

        SHA512

        9beda713b005f77c168e23527d4746cddfcc3c38bd4382c6ed8ed72620bd835d354f1677b393173a76243c0b811ae34c77aa4797cf8f9e08bf499eef1babd43c

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • \Users\Admin\AppData\Roaming\Antivirus Protection 2012\AntivirusProtection2012.exe
        Filesize

        2.3MB

        MD5

        bae30910ed2c9b086430a28ae032e928

        SHA1

        c18b468dbcb6b1aefc0249edccbb37a558cfaf9f

        SHA256

        0aea72eba1537d9be08b5f59bfd5e5ab611754ef4b4c66fda197044abae45829

        SHA512

        bb08b5763fd2cc6b8a2bdce1c0578014e7848bf1b496c7c5d767b37cb4660f41237190e2cccd93d0a003a060d68102cb6eef55a17a80d50043b9fd151f71c183

        Download Submit
      • memory/552-79-0x0000000000400000-0x0000000000DF4000-memory.dmp
        Filesize

        10.0MB

        Download
      • memory/552-54-0x0000000002CA0000-0x0000000003058000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/552-78-0x0000000002CA0000-0x0000000003058000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/552-55-0x0000000075131000-0x0000000075133000-memory.dmp
        Filesize

        8KB

        Download
      • memory/552-61-0x0000000000400000-0x0000000000DF4000-memory.dmp
        Filesize

        10.0MB

        Download
      • memory/1716-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1984-72-0x0000000000000000-mapping.dmp
        Download
      • memory/2020-73-0x0000000000400000-0x0000000001885000-memory.dmp
        Filesize

        20.5MB

        Download
      • memory/2020-76-0x0000000003800000-0x0000000003A2E000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/2020-77-0x0000000000400000-0x0000000001885000-memory.dmp
        Filesize

        20.5MB

        Download
      • memory/2020-70-0x0000000000000000-mapping.dmp
        Download
      • memory/2020-80-0x0000000000400000-0x0000000001885000-memory.dmp
        Filesize

        20.5MB

        Download
      • memory/2036-58-0x0000000000000000-mapping.dmp
        Download