b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7

General

Target

b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
Size

26.0MB
MD5

43663379bdcdbfb01c118b2df5041134
SHA1

a1c56c745b3b5afe42dce64803d25ad104c72e87
SHA256

b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7
SHA512

158af2221fd59f7a670a3ba54e74002ebc919344027c0f5b79bd0216b79b875781431dcf9c7c8e0cfd5b57db0fc4e7c944c08b8f881da1c6d6dbd7cdf86eea6d
SSDEEP

196608:5ZxpETyJc5qdnGNkcNls1+PQZyE4+vr2X3pcLn:5ZjETn4GNJNls1+AyEvK3On

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
308	DbVisualizer.v6.5.1-Crack_setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
308	DbVisualizer.v6.5.1-Crack_setup.exe
308	DbVisualizer.v6.5.1-Crack_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DbVisualizer.v6.5.1-Crack = "C:\\Users\\Public\\Oyce\\Prav.exe /DbVisualizer.v6.5.1-Crack /{F6BA46CC-D8E2-4070-9C83-C9628816C455}"	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	DbVisualizer.v6.5.1-Crack_setup.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
308	DbVisualizer.v6.5.1-Crack_setup.exe
308	DbVisualizer.v6.5.1-Crack_setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1612 wrote to memory of 1452	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	28
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1452 wrote to memory of 1316	1452	Net.exe	30
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31
PID 1612 wrote to memory of 308	1612	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	31

C:\Users\Admin\AppData\Local\Temp\b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
"C:\Users\Admin\AppData\Local\Temp\b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1316
- C:\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
C:\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
\Users\Admin\AppData\Local\Temp\g88373\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
memory/1612-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads