2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7

Analysis

max time kernel
45s
max time network
38s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
Size

662KB
MD5

cd642c5f2839697b4a5e08627cbf6f9b
SHA1

dff5b04da6edc740e4ba82cfba45afe22d08c7c4
SHA256

2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7
SHA512

942b2cfcf43308a972834ff2062cac4413cf071aa5f33eba6cf28fd8ce818e3bbab4d315945d6e553db76b6251b0ee7e21b0a71a0ad9e404ade6a660d798f186
SSDEEP

12288:z37h6cT888888888888W88888888888tO+Lp36ABo8YUoYBWzWgdutXsdTgKjtj0:j7hZel6WzWgduyJgKjTbOV6+YPa

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
564	adinstall.exe
1732	adinstall.tmp
112	metablogagent.exe

Loads dropped DLL 10 IoCs

pid	Process
1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
564	adinstall.exe
1732	adinstall.tmp
1732	adinstall.tmp
1732	adinstall.tmp
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	adinstall.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MetablogNewIssues = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\MetablogNewIssues.exe /byboot"	adinstall.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\metablogagent = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\metablogagent.exe"	adinstall.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	112	WerFault.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
112	metablogagent.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 1960 wrote to memory of 564	1960	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	28
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 564 wrote to memory of 1732	564	adinstall.exe	29
PID 1732 wrote to memory of 112	1732	adinstall.tmp	30
PID 1732 wrote to memory of 112	1732	adinstall.tmp	30
PID 1732 wrote to memory of 112	1732	adinstall.tmp	30
PID 1732 wrote to memory of 112	1732	adinstall.tmp	30
PID 112 wrote to memory of 1000	112	metablogagent.exe	32
PID 112 wrote to memory of 1000	112	metablogagent.exe	32
PID 112 wrote to memory of 1000	112	metablogagent.exe	32
PID 112 wrote to memory of 1000	112	metablogagent.exe	32

C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
"C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe
  C:\Users\Admin\AppData\Local\Temp\\adm\adinstall.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\is-BJ1HP.tmp\adinstall.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BJ1HP.tmp\adinstall.tmp" /SL5="$70126,257361,138240,C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe
      "C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe" /install
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 584
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
ab870789508865d907b4868890b299de

SHA1
59337bc37f47298d27d1a33441b3aa753d2581a9

SHA256
6a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2

SHA512
13646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200

Download Submit
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
ab870789508865d907b4868890b299de

SHA1
59337bc37f47298d27d1a33441b3aa753d2581a9

SHA256
6a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2

SHA512
13646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJ1HP.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJ1HP.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
ab870789508865d907b4868890b299de

SHA1
59337bc37f47298d27d1a33441b3aa753d2581a9

SHA256
6a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2

SHA512
13646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJ1HP.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
\Users\Admin\AppData\Local\Temp\is-P1G4H.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P1G4H.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/564-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/564-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/564-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/564-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download