addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304

Analysis

max time kernel
191s
max time network
196s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
Size

183KB
MD5

cb2d856dc72bb7e528dba68f19e8fdca
SHA1

39a48d86e280a65d35bec591776816358b8372e3
SHA256

addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304
SHA512

476009a3a16183a47aa0e02d8fcfea357693f3e67657ebd9f8a5781c054accf02b937555c84a5539f9702a3a81ae48d6a27283dad0790afaa90e90623180bf27
SSDEEP

3072:q/SpcwdFVhNPN1e68NpDUdI9BTX/EOWm1LUABC/74n8snQXkoemxhCh8llgQWZR:q/0FVhNPNMrUITTvosLUAg8n8MQz/cGG

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	PPStream.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut	PPStream.exe

Executes dropped EXE 1 IoCs

pid	Process
1272	PPStream.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinPcap\7-Zip File Manager.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Windows PowerShell Modules.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMicrosoft InfoPath Filler 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Digital Certificate for VBA Projects.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Clip Organizer.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\About Java.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMicrosoft Clip Organizer.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Office Picture Manager.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Microsoft Publisher 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Word 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows Update.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempOn-Screen Keyboard.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\XPS Viewer.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempDefault Programs.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMicrosoft PowerPoint 2010.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Windows Fax and Scan.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempSpeech Recognition.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Configure Java.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft OneNote 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows Fax and Scan.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempWordpad.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempCalculator.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempSound Recorder.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempSync Center.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempSync Center.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Resource Monitor.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows Journal.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempWindows PowerShell ISE.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempAdobe Reader 9.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Java Mission Control.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Microsoft InfoPath Designer 2010.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempWindows Fax and Scan.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempNetworkProjection.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempWindows Easy Transfer Reports.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempMicrosoft Access 2010.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempNotepad.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Sync Center.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\NetworkProjection.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Excel 2010.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Digital Certificate for VBA Projects.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempVLC media player.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Mobility Center.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempPaint.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempiSCSI Initiator.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempSystem Configuration.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Backup and Restore Center.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Private Character Editor.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Speech Recognition.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempWindows PowerShell ISE (x86).lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempSystem Configuration.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempBackup and Restore Center.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Publisher 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft SharePoint Workspace 2010.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempEase of Access.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Tempdfrgui.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Microsoft Outlook 2010.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Narrator.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\Sync Center.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Disk Cleanup.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\System Information.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Windows PowerShell (x86).lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\Windows PowerShell.lnk	PPStream.exe
File opened for modification	C:\Program Files\WinPcap\TempEase of Access.lnk	PPStream.exe
File created	C:\Program Files\WinPcap\TempNarrator.lnk	PPStream.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	PPStream.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut	PPStream.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1272	PPStream.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1272	PPStream.exe
1272	PPStream.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1272	1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe	27
PID 1636 wrote to memory of 1272	1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe	27
PID 1636 wrote to memory of 1272	1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe	27
PID 1636 wrote to memory of 1272	1636	addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe	27

C:\Users\Admin\AppData\Local\Temp\addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
"C:\Users\Admin\AppData\Local\Temp\addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\WinPcap\PPStream.exe
  "C:\Program Files\WinPcap\PPStream.exe"
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinPcap\PPStream.exe

Filesize
6.0MB

MD5
80fc1a35098bc4f3952fd0da60a706bd

SHA1
75763d4d5892674182182bfbc6caf8af66f7c38d

SHA256
dd23e3cad9ceb18dd23ca9ab54dc832d31009b391c2991b3742dc418349cf01f

SHA512
b14356d494abe22bbcdb1698bdef6f84989c6122d5bcfd5b6c072b4d3a63fb238122fa2c453e0d05db241a42013f1161f478315d4b435f536ad12f450cf0f90a

Download Submit
C:\Program Files\WinPcap\PPStream.exe

Filesize
6.0MB

MD5
80fc1a35098bc4f3952fd0da60a706bd

SHA1
75763d4d5892674182182bfbc6caf8af66f7c38d

SHA256
dd23e3cad9ceb18dd23ca9ab54dc832d31009b391c2991b3742dc418349cf01f

SHA512
b14356d494abe22bbcdb1698bdef6f84989c6122d5bcfd5b6c072b4d3a63fb238122fa2c453e0d05db241a42013f1161f478315d4b435f536ad12f450cf0f90a

Download Submit
\Program Files\WinPcap\PPStream.exe

Filesize
6.0MB

MD5
80fc1a35098bc4f3952fd0da60a706bd

SHA1
75763d4d5892674182182bfbc6caf8af66f7c38d

SHA256
dd23e3cad9ceb18dd23ca9ab54dc832d31009b391c2991b3742dc418349cf01f

SHA512
b14356d494abe22bbcdb1698bdef6f84989c6122d5bcfd5b6c072b4d3a63fb238122fa2c453e0d05db241a42013f1161f478315d4b435f536ad12f450cf0f90a

Download Submit
\Program Files\WinPcap\PPStream.exe

Filesize
6.0MB

MD5
80fc1a35098bc4f3952fd0da60a706bd

SHA1
75763d4d5892674182182bfbc6caf8af66f7c38d

SHA256
dd23e3cad9ceb18dd23ca9ab54dc832d31009b391c2991b3742dc418349cf01f

SHA512
b14356d494abe22bbcdb1698bdef6f84989c6122d5bcfd5b6c072b4d3a63fb238122fa2c453e0d05db241a42013f1161f478315d4b435f536ad12f450cf0f90a

Download Submit
memory/1272-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1272-66-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1272-67-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1636-54-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1636-56-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1636-62-0x0000000003770000-0x00000000037F5000-memory.dmp

Filesize
532KB

Download
memory/1636-64-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1636-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download