fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579

Analysis

max time kernel
187s
max time network
207s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
Size

965KB
MD5

927c42ce51b7b2b1903270f8ee5acf57
SHA1

e04cc3f832c86d58b7d467db7c5d3a27b0cdc089
SHA256

fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579
SHA512

27ff52228b637efd71f0f0d1709170a8877a18a71fc545ab8ac8e2871c3b5ff1393d8093806db10b4e8485e975cb84d5300b5e9e41bbe2c479bc10ecf10ac9cf
SSDEEP

6144:cpCZbMPOxR8g91EoDZbMPOxR8yaZbMPOxR8IW62raFR8IMPO9I8y:ztt91EoVtrmthW6Ya59e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1508	ERROR-VOX V.1 BETA.exe

Loads dropped DLL 5 IoCs

pid	Process
1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
956	regsvr32.exe
1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FTPDL.dll	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FTPDL.CFTPDL\ = "FTPDL.CFTPDL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\TypeLib\ = "{08FFC719-EE31-4EF0-BF44-175E1F88B68B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FTPDL.CFTPDL\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\ = "FTPDL.CFTPDL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FTPDL.CFTPDL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\FTPDL.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib\ = "{08FFC719-EE31-4EF0-BF44-175E1F88B68B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib\ = "{08FFC719-EE31-4EF0-BF44-175E1F88B68B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FTPDL.CFTPDL\Clsid\ = "{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\ = "FTPDL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{08FFC719-EE31-4EF0-BF44-175E1F88B68B}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ = "_CFTPDL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ = "CFTPDL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FTPDL.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD718B6-DFED-4732-AD83-26DD5AA5B89B}\ = "_CFTPDL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\ProgID\ = "FTPDL.CFTPDL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5FD464-AF4F-45A6-BF42-2C6A731D49DF}\TypeLib	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
1508	ERROR-VOX V.1 BETA.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1508	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	28
PID 1488 wrote to memory of 1508	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	28
PID 1488 wrote to memory of 1508	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	28
PID 1488 wrote to memory of 1508	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	28
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29
PID 1488 wrote to memory of 956	1488	fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe	29

C:\Users\Admin\AppData\Local\Temp\fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe
"C:\Users\Admin\AppData\Local\Temp\fb88bf1b48420d985dfeee2462af709e7173cbf6a7227a36220ff822d4d7b579.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\ERROR-VOX V.1 BETA.exe
  "C:\Users\Admin\AppData\Local\Temp\ERROR-VOX V.1 BETA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1508
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s FTPDL.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ERROR-VOX V.1 BETA.exe

Filesize
452KB

MD5
0bbd83c933a9ac9640f7835812d47f14

SHA1
02bb5ebb97fd2c350970d9b5fab785f4cb4f2918

SHA256
4161fc5254b072f78fe4dd3404b4927b787d702e380bb751176cdf90c7a61303

SHA512
f5f7ab4c056c6d34ea4a15ae9badd70530827307601a0a60b0042c8cbddfe7c1c29faae784361246ea89ac25ed7c2c44a4c6633a7957138b527be4c03d9c872a

Download Submit
C:\Windows\SysWOW64\FTPDL.dll

Filesize
28KB

MD5
26d30e2bb6fc830c69c2e3ba132f1761

SHA1
4e7cdc813da6b1c973b65d0c4078f2c1316899f6

SHA256
006c84d7707608e577add6443d556e09f55cea6a5dfabfd3ea03a6aca40ab8b0

SHA512
b2edea2b3b32581ffde60b38349269efd4e77adbb38fe25b9fc8cde34fd0c0792026d8a385445aaf9cf791a7eb2cd817c023f4ba621f60124f5b275e6c7ba0dd

Download Submit
\Users\Admin\AppData\Local\Temp\ERROR-VOX V.1 BETA.exe

Filesize
452KB

MD5
0bbd83c933a9ac9640f7835812d47f14

SHA1
02bb5ebb97fd2c350970d9b5fab785f4cb4f2918

SHA256
4161fc5254b072f78fe4dd3404b4927b787d702e380bb751176cdf90c7a61303

SHA512
f5f7ab4c056c6d34ea4a15ae9badd70530827307601a0a60b0042c8cbddfe7c1c29faae784361246ea89ac25ed7c2c44a4c6633a7957138b527be4c03d9c872a

Download Submit
\Users\Admin\AppData\Local\Temp\ERROR-VOX V.1 BETA.exe

Filesize
452KB

MD5
0bbd83c933a9ac9640f7835812d47f14

SHA1
02bb5ebb97fd2c350970d9b5fab785f4cb4f2918

SHA256
4161fc5254b072f78fe4dd3404b4927b787d702e380bb751176cdf90c7a61303

SHA512
f5f7ab4c056c6d34ea4a15ae9badd70530827307601a0a60b0042c8cbddfe7c1c29faae784361246ea89ac25ed7c2c44a4c6633a7957138b527be4c03d9c872a

Download Submit
\Windows\SysWOW64\FTPDL.dll

Filesize
28KB

MD5
26d30e2bb6fc830c69c2e3ba132f1761

SHA1
4e7cdc813da6b1c973b65d0c4078f2c1316899f6

SHA256
006c84d7707608e577add6443d556e09f55cea6a5dfabfd3ea03a6aca40ab8b0

SHA512
b2edea2b3b32581ffde60b38349269efd4e77adbb38fe25b9fc8cde34fd0c0792026d8a385445aaf9cf791a7eb2cd817c023f4ba621f60124f5b275e6c7ba0dd

Download Submit
\Windows\SysWOW64\FTPDL.dll

Filesize
28KB

MD5
26d30e2bb6fc830c69c2e3ba132f1761

SHA1
4e7cdc813da6b1c973b65d0c4078f2c1316899f6

SHA256
006c84d7707608e577add6443d556e09f55cea6a5dfabfd3ea03a6aca40ab8b0

SHA512
b2edea2b3b32581ffde60b38349269efd4e77adbb38fe25b9fc8cde34fd0c0792026d8a385445aaf9cf791a7eb2cd817c023f4ba621f60124f5b275e6c7ba0dd

Download Submit
\Windows\SysWOW64\FTPDL.dll

Filesize
28KB

MD5
26d30e2bb6fc830c69c2e3ba132f1761

SHA1
4e7cdc813da6b1c973b65d0c4078f2c1316899f6

SHA256
006c84d7707608e577add6443d556e09f55cea6a5dfabfd3ea03a6aca40ab8b0

SHA512
b2edea2b3b32581ffde60b38349269efd4e77adbb38fe25b9fc8cde34fd0c0792026d8a385445aaf9cf791a7eb2cd817c023f4ba621f60124f5b275e6c7ba0dd

Download Submit
memory/956-63-0x0000000000000000-mapping.dmp

Download
memory/1488-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download