de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9

Analysis

max time kernel
237s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
Size

5.9MB
MD5

1c94921d0331164d89e741dea08a30da
SHA1

ca86e120e2d56b81e894c2379c23f65a0d5fe3c1
SHA256

de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9
SHA512

461a63346d44bf2bd54fc9e14a09595a2306c264225d233a82d4a7c58296e6507cbc3c28df2a17c1bd924235b9d51537cf7bd42f1ba333352b58ab37ebd90006
SSDEEP

98304:DQkuA/31rGDX4kKwA4lwo9V+3f6D5g2BA/2cJ0/7pFbdoRwTi7MUVEgBzjZUkKwt:s0/316DtA4aCV+Pi5g2BA/l0rCwG7zV/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3636	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\FileOperator.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\LocalRecord_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\carIndex.json	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\h264dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\mpeg4dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavmp3dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Audio_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\AR_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Play_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavg729dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavg726dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\hevcdec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\AlgPano.exe	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\webrec.ico	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\background.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\cximagecrt.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\DHIVS_AutoMatch.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\CloseVideo_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\swscale.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\MasterSlaveAPI.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\AR_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\CloseVideo_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\plugin.data	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\webplugin_MulID_WebSocketServer.nsi	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Fisheye_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavg7221dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\ThdProtocolClient.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\CapturePic_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Fisheye_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavg7231dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Audio_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\ZoomIn_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavg711.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\UIControls.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\IvsDrawer.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\jpeg_dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\npMedia5.0.412649.0.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\ScenicSpot.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\WebSocketServer.exe	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dhplay.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\VideoAnalysisShape.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\fisheye.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File opened for modification	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\plugin.data	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File opened for modification	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\MediaSvr.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavaacdec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\ZoomIn_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavaudio_codecs.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\dllmavmp2dec.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\MPA_HSPano.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\FisheyeCtrl.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\postproc.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\LocalRecord_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\Play_Active.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\StreamConvertor.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\SVComponentInterface.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\WebActiveX.exe	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\CommSvrBus.dll	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
File created	C:\Program Files (x86)\webrec\Torch\5.0.412649.0\Res\CapturePic_InActive.png	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
772	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	TASKKILL.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 772	3636	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe	83
PID 3636 wrote to memory of 772	3636	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe	83
PID 3636 wrote to memory of 772	3636	de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe	83

C:\Users\Admin\AppData\Local\Temp\de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe
"C:\Users\Admin\AppData\Local\Temp\de71e8a2aaa70219160cb11a7be7f06f24082d2c0c9211fbe7823fe84185d5e9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM WebSocketServer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso7423.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit