bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56

Analysis

max time kernel
77s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe
Size

783KB
MD5

c109c75bfcf640eb2086d5f67c735d38
SHA1

eb06bb58b75c68e601b8eeffedd8b30161fec9f6
SHA256

bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56
SHA512

97b656f52d9f00935199c47be6fc151fee156aa0ca543f8ec448e02f731f400cf2ded088dc30005d7cae8cb7e40bb54f76e623beb5ff12f8641ebb42f20d7776
SSDEEP

12288:uNlLp1zdnY029Ve01uh1eWT8/0Ngani6aAKQZl3Mu65aSf8Pp43hoJpYEUpObRD4:ydcVe01ubfe0Mz8r65643hoJpXD4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1212	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28
PID 1352 wrote to memory of 1212	1352	bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe	28

C:\Users\Admin\AppData\Local\Temp\bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe
"C:\Users\Admin\AppData\Local\Temp\bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\a23CA3ELWw\gEYbZwSm\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\a23CA3ELWw\gEYbZwSm\Setup.exe --relaunch
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a23CA3ELWw\gEYbZwSm\Setup.exe

Filesize
783KB

MD5
c109c75bfcf640eb2086d5f67c735d38

SHA1
eb06bb58b75c68e601b8eeffedd8b30161fec9f6

SHA256
bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56

SHA512
97b656f52d9f00935199c47be6fc151fee156aa0ca543f8ec448e02f731f400cf2ded088dc30005d7cae8cb7e40bb54f76e623beb5ff12f8641ebb42f20d7776

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23CA3ELWw\gEYbZwSm\Setup.exe

Filesize
783KB

MD5
c109c75bfcf640eb2086d5f67c735d38

SHA1
eb06bb58b75c68e601b8eeffedd8b30161fec9f6

SHA256
bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56

SHA512
97b656f52d9f00935199c47be6fc151fee156aa0ca543f8ec448e02f731f400cf2ded088dc30005d7cae8cb7e40bb54f76e623beb5ff12f8641ebb42f20d7776

Download Submit
\Users\Admin\AppData\Local\Temp\a23CA3ELWw\gEYbZwSm\Setup.exe

Filesize
783KB

MD5
c109c75bfcf640eb2086d5f67c735d38

SHA1
eb06bb58b75c68e601b8eeffedd8b30161fec9f6

SHA256
bf273a09348eafecb5d23f7dd42c4ef7f7c5354e6f491e08718d4690bb029b56

SHA512
97b656f52d9f00935199c47be6fc151fee156aa0ca543f8ec448e02f731f400cf2ded088dc30005d7cae8cb7e40bb54f76e623beb5ff12f8641ebb42f20d7776

Download Submit
memory/1212-56-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download