ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c

Analysis

max time kernel
33s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
Size

44.1MB
MD5

da59050c06f96b5375c806af9d178fa1
SHA1

c974765db3b9b3936acc0bd2c48fe2b9f8ddb2e1
SHA256

ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c
SHA512

a19328c05c7d97a21b0126e8ee0cea72442221ae6569f0c03b814d1e2bb494e51849974818a8ca9aface697610965ac6dbe248e49633ff9212f0e521160e8681
SSDEEP

196608:EN+0S3Q6CabWI9zp7KZ3RjH8pYWkcvZJfhGkmb:EM0S3Q6CaiI6ZJ8pYAvZJk

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
1564	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Loads dropped DLL 7 IoCs

pid	Process
1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
1564	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
1564	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c = "C:\\Users\\Public\\Iscmn\\Agbac.exe /ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c"	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1564	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
1564	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1752 wrote to memory of 1720	1752	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	28
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1720 wrote to memory of 1936	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	29
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1936 wrote to memory of 1636	1936	Net.exe	31
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32
PID 1720 wrote to memory of 1564	1720	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	32

C:\Users\Admin\AppData\Local\Temp\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
"C:\Users\Admin\AppData\Local\Temp\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
  C:\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\Net.exe
    Net Stop PcaSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 Stop PcaSvc
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
    C:\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
\Users\Admin\AppData\Local\Temp\Eamue760\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
\Users\Admin\AppData\Local\Temp\g83FFE\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
memory/1752-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads