39e08ecf4ab3becd1ffb4b49c4bf6991b998ec9f68e86ec3483926d8c2fef360

Analysis

max time kernel
147s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setupFilmComposer.exe
Size

75.2MB
MD5

3d1907e4cefc193fc2bbfc55ea550c48
SHA1

646e76cc2dbd92ef3ee9b1489d8f5d9cee394507
SHA256

43b19ffa3fc5d2c369017ae8207d36031031a1eaa4d02f8668e587fb0284fb39
SHA512

5e35ae79abef05d62bc3e670220f10b671769323afceeffc6b4468657c08cab591f34f332c928911901c0a1801559e30a0f6983072c68ed3737089b984e80021
SSDEEP

1572864:jQusg+Ab/GND5IQ+qFlRluU7233mNMdGai3MK7p:7sg+2/sqolRlhWiv7p

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 15 IoCs

Processes:

setupFilmComposer.exe

pid	process
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe
552	setupFilmComposer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

setupFilmComposer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TROPHY\FilmComposer	setupFilmComposer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TROPHY\FilmComposer\TemplateDir = "C:\\Users\\Public\\Documents\\Carestream\\FilmComposer\\Templates"	setupFilmComposer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TROPHY	setupFilmComposer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TROPHY\AppDataPath = "C:\\ProgramData\\TW"	setupFilmComposer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TROPHY\DocumentsPath = "C:\\Users\\Public\\Documents\\Carestream"	setupFilmComposer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TROPHY\Shared	setupFilmComposer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TROPHY\Shared\TemplateDir = "C:\\Users\\Public\\Documents\\Carestream\\FilmComposer\\Templates"	setupFilmComposer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

setupFilmComposer.exe

pid process

552 setupFilmComposer.exe
552 setupFilmComposer.exe
552 setupFilmComposer.exe
552 setupFilmComposer.exe

C:\Users\Admin\AppData\Local\Temp\setupFilmComposer.exe
"C:\Users\Admin\AppData\Local\Temp\setupFilmComposer.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\AccessControl.dll
Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\AccessControl.dll
Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\GetVersion.dll
Filesize
9KB

MD5
225f776172f1baccd2721a6e5d512b36

SHA1
2dbbc86f7b0285682880a627b56a75de09f4bed6

SHA256
ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

SHA512
4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\GetVersion.dll
Filesize
9KB

MD5
225f776172f1baccd2721a6e5d512b36

SHA1
2dbbc86f7b0285682880a627b56a75de09f4bed6

SHA256
ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

SHA512
4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\GetVersion.dll
Filesize
9KB

MD5
225f776172f1baccd2721a6e5d512b36

SHA1
2dbbc86f7b0285682880a627b56a75de09f4bed6

SHA256
ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

SHA512
4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\GetVersion.dll
Filesize
9KB

MD5
225f776172f1baccd2721a6e5d512b36

SHA1
2dbbc86f7b0285682880a627b56a75de09f4bed6

SHA256
ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

SHA512
4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\GetVersion.dll
Filesize
9KB

MD5
225f776172f1baccd2721a6e5d512b36

SHA1
2dbbc86f7b0285682880a627b56a75de09f4bed6

SHA256
ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

SHA512
4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\InstallOptions.dll
Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\InstallOptions.dll
Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\LangDLL.dll
Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\SkinnedControls.dll
Filesize
68KB

MD5
c3e5d1a39e1f4dc8317a9e71ce93d141

SHA1
7f1e4bcfb2a6b58b5e337d58713eb27dfb2afef4

SHA256
512d67d40f6c73a8c7ce63060962b7632c47b528f340f152fbbda6ab12883579

SHA512
32b5c5439a1d58f4fcc9348d0a91ed6c4ecf5bec3abc646a345a2256060a962978a7fc9a5ce155ad1498a1d6f77dac29d433e9398252bd66b1d89875447e4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\SkinnedControls.dll
Filesize
68KB

MD5
c3e5d1a39e1f4dc8317a9e71ce93d141

SHA1
7f1e4bcfb2a6b58b5e337d58713eb27dfb2afef4

SHA256
512d67d40f6c73a8c7ce63060962b7632c47b528f340f152fbbda6ab12883579

SHA512
32b5c5439a1d58f4fcc9348d0a91ed6c4ecf5bec3abc646a345a2256060a962978a7fc9a5ce155ad1498a1d6f77dac29d433e9398252bd66b1d89875447e4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD60E.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/552-154-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-150-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-152-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-148-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-156-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-158-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-160-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-163-0x0000000002311000-0x0000000002313000-memory.dmp

Filesize
8KB

Download
memory/552-146-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download
memory/552-145-0x00000000022E1000-0x00000000022ED000-memory.dmp

Filesize
48KB

Download