b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7

Analysis

max time kernel
163s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
Size

26.0MB
MD5

43663379bdcdbfb01c118b2df5041134
SHA1

a1c56c745b3b5afe42dce64803d25ad104c72e87
SHA256

b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7
SHA512

158af2221fd59f7a670a3ba54e74002ebc919344027c0f5b79bd0216b79b875781431dcf9c7c8e0cfd5b57db0fc4e7c944c08b8f881da1c6d6dbd7cdf86eea6d
SSDEEP

196608:5ZxpETyJc5qdnGNkcNls1+PQZyE4+vr2X3pcLn:5ZjETn4GNJNls1+AyEvK3On

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3592	DbVisualizer.v6.5.1-Crack_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DbVisualizer.v6.5.1-Crack = "C:\\Program Files\\Slwa\\Cvecr.exe /DbVisualizer.v6.5.1-Crack /{55837C80-EAB1-46E8-ADF7-BFF830504859}"	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Slwa\dumeos\pat.xml	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File created	C:\Program Files\Slwa\dumeos\socoef.dll	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File opened for modification	C:\Program Files\Slwa\dumeos\socoef.dll	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File opened for modification	C:\Program Files\Slwa\lagese.exe	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File opened for modification	C:\Program Files\Slwa\laneos.exe	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File created	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File created	C:\Program Files\Slwa\dumeos\pat.xml	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File created	C:\Program Files\Slwa\lagese.exe	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File created	C:\Program Files\Slwa\laneos.exe	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3592	DbVisualizer.v6.5.1-Crack_setup.exe
3592	DbVisualizer.v6.5.1-Crack_setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3592	3332	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	88
PID 3332 wrote to memory of 3592	3332	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	88
PID 3332 wrote to memory of 3592	3332	b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe	88

C:\Users\Admin\AppData\Local\Temp\b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe
"C:\Users\Admin\AppData\Local\Temp\b589d8d51b7ab7fc156c928b8adcee5dcb1950a549b06cca12a9e140d6de9ee7.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\g8B1FA\DbVisualizer.v6.5.1-Crack_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g8B1FA\DbVisualizer.v6.5.1-Crack_setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8B1FA\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8B1FA\DbVisualizer.v6.5.1-Crack_setup.exe

Filesize
4.2MB

MD5
688392816c05c037c750656b6a8c58a5

SHA1
81afe3d46ca4b439eae55d8bec44c5b7eda98397

SHA256
efb61f5156ba3c3fae330b5975f1e3996306bb1e9bfbf1fe0f8ad01d3fc10c89

SHA512
5eab14039ab326124ce8220d118a8b68a19127883d00bef4f6078018651f45808699b087396b4ccef213dcff78a07e21ad114380a8604d212fecb347b9177201

Download Submit