9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b

Analysis

max time kernel
43s
max time network
100s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Size

380KB
MD5

ff52f4e1d1f75f5ae003f87b002a2e4a
SHA1

d40e9166954ee8330f7703e04c1cd56915979d18
SHA256

9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b
SHA512

caebe8ec9e1cb12b70f425e2f0b8ba714049f0d6bb935e89ef6db14864087e52fd89b829add32a0e2c15fbeba25c1b0d387c7cdd70547f18a0b83bed5fa501a7
SSDEEP

6144:PZ2KRA+AqItby06N9DejUmbKdxjjg8ESkblBPTUjBKTNSA8iv49a14yrMVqnEF3N:rRASmmZVejUWKLjjg8EAoMEvf14yrMFd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola\CurVer	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\VersionIndependentProgID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe\""	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\Version	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib\ = "{63084104-346B-44DA-9DF0-5094A81F0206}"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola\ = "Inst Class"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\Programmable	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\ProgID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola.1	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib\Version = "1.0"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ProxyStubClsid32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\FLAGS	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe:typelib"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\0	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\LocalServer32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\ProgID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola.1\CLSID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\ProgID\ = "wheyish.tombola.1"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\HELPDIR	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\Version	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\VersionIndependentProgID\ = "wheyish.tombola"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\FLAGS	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\FLAGS\ = "0"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ProxyStubClsid32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola.1	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola\CurVer\ = "wheyish.tombola.1"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\VersionIndependentProgID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ = "IBoot"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola\CurVer	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\Version\ = "1.0"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\Programmable	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\0\win32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\HELPDIR	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ProxyStubClsid32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\TypeLib\ = "{63084104-346b-44da-9df0-5094a81f0206}"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63084104-346B-44DA-9DF0-5094A81F0206}\1.0\ = "InstallerLib"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\ = "IBoot"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib\ = "{63084104-346B-44DA-9DF0-5094A81F0206}"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\ = "Inst Class"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib\Version = "1.0"	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3db7dcf5-2a7d-453e-ab50-5b79b1916510}\LocalServer32	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CDF8FFC-6509-445E-B75D-F0344E4C4827}\TypeLib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wheyish.tombola.1\CLSID	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe:typelib	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
1788	9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe

C:\Users\Admin\AppData\Local\Temp\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe
"C:\Users\Admin\AppData\Local\Temp\9bdd995e633925c057c9cdfa77f0e0c6b3a41a3fc1ec1c2929f10273743c2c7b.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x0000000000390000-0x000000000046B000-memory.dmp

Filesize
876KB

Download
memory/1788-56-0x0000000000390000-0x000000000046B000-memory.dmp

Filesize
876KB

Download
memory/1788-57-0x0000000000390000-0x000000000046B000-memory.dmp

Filesize
876KB

Download