83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838

Analysis

max time kernel
138s
max time network
80s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
Size

2.6MB
MD5

8f30495351188a6fdd3da179691e6a97
SHA1

dfbfb496f2f7662eea3c9d88e398995864449c0f
SHA256

83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838
SHA512

68fce63f11ca17872944732fa1ef19ab056b87fd018affb4902477d3cc0f873dc0a28a22f5b693779a425b118bf581fa60e78bfbc879f7814d2164cd5afdd9cb
SSDEEP

49152:puiDR7ztcKayMNSe6jgzcbQb1Yj4qtEhxDEC/POVpa9L/ZXk9Dea7c6qmub:pR5payMNSXA76Jqx//2K9L0yaQTmub

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1056	MediaXCodec.exe
2016	RegSupreme Pro 1.7.0.416.exe
760	is-2SDJL.tmp

Loads dropped DLL 11 IoCs

pid	Process
940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
1056	MediaXCodec.exe
1056	MediaXCodec.exe
1056	MediaXCodec.exe
2016	RegSupreme Pro 1.7.0.416.exe
2016	RegSupreme Pro 1.7.0.416.exe
2016	RegSupreme Pro 1.7.0.416.exe
760	is-2SDJL.tmp
760	is-2SDJL.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	MediaXCodec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Player.exe"	MediaXCodec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
760	is-2SDJL.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 1056	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	28
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 940 wrote to memory of 2016	940	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	29
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30
PID 2016 wrote to memory of 760	2016	RegSupreme Pro 1.7.0.416.exe	30

C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
"C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe
  "C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe
  "C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\is-61240.tmp\is-2SDJL.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-61240.tmp\is-2SDJL.tmp" /SL4 $70126 "C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe" 2429367 52736
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-61240.tmp\is-2SDJL.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-61240.tmp\is-2SDJL.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-4GKBT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4GKBT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-61240.tmp\is-2SDJL.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
memory/940-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2016-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2016-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download