ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe
Size

976KB
MD5

15f8a9c371c77bc799867c902ba9e08b
SHA1

f754eca95b61656b84e48503eca1aee3afab61a0
SHA256

ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84
SHA512

c9d6995bd59dccbb7b39f9f43c9223a51d081c62ce8c190faed3b6d3bb904fde9745426d66d4a4d5769f3458eefb621958ecda9df06ea37c59001abe90380053
SSDEEP

12288:z8HN/Um3b7bt5ORv7OfUej1YY+oPfmH7OdIgbB1Nx0WkljfyU0NsA3wPPgMSHaI9:zfm3jWRCD+sdDkpYP3wPwn2arw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	f.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	2760	WerFault.exe	76

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Programmable	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe\""	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\Version = "1.0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib\ = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\ = "SmartInstallerLib"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS\ = "0"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f.exe"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\ = "CBrowserExternal Class"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version\ = "1.0"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ = "IBrowserExternals"	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS	f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4376	wmic.exe
Token: SeSecurityPrivilege	4376	wmic.exe
Token: SeTakeOwnershipPrivilege	4376	wmic.exe
Token: SeLoadDriverPrivilege	4376	wmic.exe
Token: SeSystemProfilePrivilege	4376	wmic.exe
Token: SeSystemtimePrivilege	4376	wmic.exe
Token: SeProfSingleProcessPrivilege	4376	wmic.exe
Token: SeIncBasePriorityPrivilege	4376	wmic.exe
Token: SeCreatePagefilePrivilege	4376	wmic.exe
Token: SeBackupPrivilege	4376	wmic.exe
Token: SeRestorePrivilege	4376	wmic.exe
Token: SeShutdownPrivilege	4376	wmic.exe
Token: SeDebugPrivilege	4376	wmic.exe
Token: SeSystemEnvironmentPrivilege	4376	wmic.exe
Token: SeRemoteShutdownPrivilege	4376	wmic.exe
Token: SeUndockPrivilege	4376	wmic.exe
Token: SeManageVolumePrivilege	4376	wmic.exe
Token: 33	4376	wmic.exe
Token: 34	4376	wmic.exe
Token: 35	4376	wmic.exe
Token: 36	4376	wmic.exe
Token: SeIncreaseQuotaPrivilege	4376	wmic.exe
Token: SeSecurityPrivilege	4376	wmic.exe
Token: SeTakeOwnershipPrivilege	4376	wmic.exe
Token: SeLoadDriverPrivilege	4376	wmic.exe
Token: SeSystemProfilePrivilege	4376	wmic.exe
Token: SeSystemtimePrivilege	4376	wmic.exe
Token: SeProfSingleProcessPrivilege	4376	wmic.exe
Token: SeIncBasePriorityPrivilege	4376	wmic.exe
Token: SeCreatePagefilePrivilege	4376	wmic.exe
Token: SeBackupPrivilege	4376	wmic.exe
Token: SeRestorePrivilege	4376	wmic.exe
Token: SeShutdownPrivilege	4376	wmic.exe
Token: SeDebugPrivilege	4376	wmic.exe
Token: SeSystemEnvironmentPrivilege	4376	wmic.exe
Token: SeRemoteShutdownPrivilege	4376	wmic.exe
Token: SeUndockPrivilege	4376	wmic.exe
Token: SeManageVolumePrivilege	4376	wmic.exe
Token: 33	4376	wmic.exe
Token: 34	4376	wmic.exe
Token: 35	4376	wmic.exe
Token: 36	4376	wmic.exe
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe
Token: SeSecurityPrivilege	3936	wmic.exe
Token: SeTakeOwnershipPrivilege	3936	wmic.exe
Token: SeLoadDriverPrivilege	3936	wmic.exe
Token: SeSystemProfilePrivilege	3936	wmic.exe
Token: SeSystemtimePrivilege	3936	wmic.exe
Token: SeProfSingleProcessPrivilege	3936	wmic.exe
Token: SeIncBasePriorityPrivilege	3936	wmic.exe
Token: SeCreatePagefilePrivilege	3936	wmic.exe
Token: SeBackupPrivilege	3936	wmic.exe
Token: SeRestorePrivilege	3936	wmic.exe
Token: SeShutdownPrivilege	3936	wmic.exe
Token: SeDebugPrivilege	3936	wmic.exe
Token: SeSystemEnvironmentPrivilege	3936	wmic.exe
Token: SeRemoteShutdownPrivilege	3936	wmic.exe
Token: SeUndockPrivilege	3936	wmic.exe
Token: SeManageVolumePrivilege	3936	wmic.exe
Token: 33	3936	wmic.exe
Token: 34	3936	wmic.exe
Token: 35	3936	wmic.exe
Token: 36	3936	wmic.exe
Token: SeIncreaseQuotaPrivilege	3936	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2760	2680	ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe	76
PID 2680 wrote to memory of 2760	2680	ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe	76
PID 2680 wrote to memory of 2760	2680	ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe	76
PID 2760 wrote to memory of 4376	2760	f.exe	77
PID 2760 wrote to memory of 4376	2760	f.exe	77
PID 2760 wrote to memory of 4376	2760	f.exe	77
PID 2760 wrote to memory of 3936	2760	f.exe	81
PID 2760 wrote to memory of 3936	2760	f.exe	81
PID 2760 wrote to memory of 3936	2760	f.exe	81
PID 2760 wrote to memory of 5028	2760	f.exe	83
PID 2760 wrote to memory of 5028	2760	f.exe	83
PID 2760 wrote to memory of 5028	2760	f.exe	83
PID 2760 wrote to memory of 4888	2760	f.exe	86
PID 2760 wrote to memory of 4888	2760	f.exe	86
PID 2760 wrote to memory of 4888	2760	f.exe	86
PID 2760 wrote to memory of 3916	2760	f.exe	88
PID 2760 wrote to memory of 3916	2760	f.exe	88
PID 2760 wrote to memory of 3916	2760	f.exe	88

C:\Users\Admin\AppData\Local\Temp\ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe
"C:\Users\Admin\AppData\Local\Temp\ad791146b73723953c665b348e5cd3ec37eacf5782369ff730aa79d045c78a84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\f.exe
  C:\Users\Admin\AppData\Local\Temp\f.exe /PID=3005 /SUBPID=0 /NETWORKID=0 /DISTID=1775 /CID=0 /PRODUCT_ID=1694 /SERVER_URL=http://installer.apps-track.com /CLICKID=c0eca1fdf54a062be047d7f55e291f14 /D1=12433 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME= /EXE_URL= /EXE_CMDLINE= /HOST_BROWSER=5 /THANKYOU_URL= /TIME=1403241952 /VM=2 /DS1= /IS_RUNTIME=true /RETURNING_USER_DAYS=2 /IS_DYNAMIC_ENCRYPTED=true
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\obhhelper.txt bios get version
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 944
    3⤵
    - Program crash
    PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2760 -ip 2760
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
1.3MB

MD5
de3863de0a59e512dd879207429dd80d

SHA1
4e92d8e52dc238d1d66f78fba8bb14f691ec7bca

SHA256
f2444458fb4e1558afebab1f5950cbfebdc3701a5a3fd26b2c29dbe0c46dee2f

SHA512
eecedadc3d5049a51d02156779c370547b239312ff6c81e133d3807d081a16d89e669112d1b27f02ab0253684c3622511840e9440ead191d8bcd0a48128335f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
1.3MB

MD5
de3863de0a59e512dd879207429dd80d

SHA1
4e92d8e52dc238d1d66f78fba8bb14f691ec7bca

SHA256
f2444458fb4e1558afebab1f5950cbfebdc3701a5a3fd26b2c29dbe0c46dee2f

SHA512
eecedadc3d5049a51d02156779c370547b239312ff6c81e133d3807d081a16d89e669112d1b27f02ab0253684c3622511840e9440ead191d8bcd0a48128335f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC3D3.tmp\Convert.dll

Filesize
114KB

MD5
00321d477f76e401373c1fc71c7c4502

SHA1
cb010222cb25d67810f46d20c4daffea60b86c6e

SHA256
48db77073c6ab1ab2a0f0d80a21d1a17bee5ed745735b2a780b137bf06681c43

SHA512
6974617a9482b08f41db8575e123f82d76c18ae8dc2aae605b6d3bee0dce52f55de061283ca4c3eb0579eeaa0261f09cb98c611b0b5d502b37b3169e0bba4f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhhelper.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit