893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a

Analysis

max time kernel
136s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
Size

22.5MB
MD5

c125715cc082fe693f5efa39912837bb
SHA1

873369200aa459b19dfe0e1f825db7fcd4ec99f6
SHA256

893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a
SHA512

7978d8d18081fef9745919701e8070d5c27289498c9ea4efe69fc2d1bb1dd2283a201b81dee2cb4331aa9e67a0be082296664d015643422ee6af90627fafb8e3
SSDEEP

49152:Ycy52F1BTTWAXv7XnOMj5e1K7x6494Vlc2GXvJTijowTMfbGK:YcTbnw1K7x6i4Vlc2shU2bd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1188	AdeptTck_setup.exe

Loads dropped DLL 11 IoCs

pid	Process
1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdeptTck = "C:\\Users\\Public\\Iobnz\\Ixpw.exe /AdeptTck /{71C4A4B8-0327-414D-B7CC-505046A2CA5B}"	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,2"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,4"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\ddeexec	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\command	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\command	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdeptTracker\Website	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,6"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\ddeexec\ = "[open(\"%1\")]"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ShellNew	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\ddeexec\ = "[print(\"%1\")]"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ShellNew\NullFile	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,3"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdeptTracker	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,1"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\ddeexec	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzc\ = "Project.lzc"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\open\command	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE /dde"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,7"	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\ = "AdeptTracker Project Document"	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\print\ddeexec	AdeptTck_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\shell\printto	AdeptTck_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project.lzc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g86807\\ADEPTT~1.EXE,5"	AdeptTck_setup.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	AdeptTck_setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1188	AdeptTck_setup.exe
1188	AdeptTck_setup.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1252 wrote to memory of 1364	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	28
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1364 wrote to memory of 1036	1364	Net.exe	30
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1252 wrote to memory of 1188	1252	893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe	31
PID 1188 wrote to memory of 668	1188	AdeptTck_setup.exe	32
PID 1188 wrote to memory of 668	1188	AdeptTck_setup.exe	32
PID 1188 wrote to memory of 668	1188	AdeptTck_setup.exe	32
PID 1188 wrote to memory of 668	1188	AdeptTck_setup.exe	32

C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe
"C:\Users\Admin\AppData\Local\Temp\893f16d88761ca4a3527f7f5a267ea5d9e013a8e9aac851cc9947f78fd9e717a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1036
- C:\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
\Users\Admin\AppData\Local\Temp\g86807\AdeptTck_setup.exe

Filesize
718KB

MD5
d0aa4e89e9c93b31af211348059139ba

SHA1
f04d2ecb6eaff92c751d6acae38735370c2f7b3c

SHA256
016891ffdbfee6cc5f7695eaf66ce066bed45f78e3642fd19213837567f94e39

SHA512
39d584cd6d501fdf70881fe2c8a385d11c4f7f98bd85fdc6445a4f6bb45f7c09f910619e9e24507181633e77870a6e839a38627a8e81123db2ba4647798c6617

Download Submit
memory/668-77-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1188-69-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1188-78-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1188-79-0x0000000003160000-0x00000000033AD000-memory.dmp

Filesize
2.3MB

Download
memory/1252-68-0x0000000002FD0000-0x000000000321D000-memory.dmp

Filesize
2.3MB

Download
memory/1252-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download