ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c

General

Target

ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
Size

44.1MB
MD5

da59050c06f96b5375c806af9d178fa1
SHA1

c974765db3b9b3936acc0bd2c48fe2b9f8ddb2e1
SHA256

ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c
SHA512

a19328c05c7d97a21b0126e8ee0cea72442221ae6569f0c03b814d1e2bb494e51849974818a8ca9aface697610965ac6dbe248e49633ff9212f0e521160e8681
SSDEEP

196608:EN+0S3Q6CabWI9zp7KZ3RjH8pYWkcvZJfhGkmb:EM0S3Q6CaiI6ZJ8pYAvZJk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4832	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
4448	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c = "C:\\Users\\Public\\Ujhz\\Viqz.exe /ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c"	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD = "C:\\Program Files\\Tzbib\\Zuzyx.exe /ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD /{3F50AEE5-AB9D-4C04-BB88-9687C7AC8944}"	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Tzbib\lozose\paltes.dll	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File created	C:\Program Files\Tzbib\mameos.exe	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File created	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File created	C:\Program Files\Tzbib\dases.exe	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File opened for modification	C:\Program Files\Tzbib\lozose\paltes.dll	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File created	C:\Program Files\Tzbib\lozose\pat.xml	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File opened for modification	C:\Program Files\Tzbib\lozose\pat.xml	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File opened for modification	C:\Program Files\Tzbib\mameos.exe	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
File opened for modification	C:\Program Files\Tzbib\dases.exe	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4448	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
4448	ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4832	3348	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	80
PID 3348 wrote to memory of 4832	3348	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	80
PID 3348 wrote to memory of 4832	3348	ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe	80
PID 4832 wrote to memory of 4448	4832	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	81
PID 4832 wrote to memory of 4448	4832	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	81
PID 4832 wrote to memory of 4448	4832	objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe	81

C:\Users\Admin\AppData\Local\Temp\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe
"C:\Users\Admin\AppData\Local\Temp\ba4095b52bd5f8e05596d22cf99d642e783b5022d611119c6c06e0267f0f1c4c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\Temp\Hiurt686\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
  C:\Users\Admin\AppData\Local\Temp\Hiurt686\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\g8E1AA\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
    C:\Users\Admin\AppData\Local\Temp\g8E1AA\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hiurt686\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hiurt686\objectrescue.pro.v5.1.490.winall.keygen.and.patch-brd_setup.exe

Filesize
22.0MB

MD5
18410294a8218f0a0642e0fa2e53fd4f

SHA1
72446bf0d5ce2553382ecc856db5c13c0cb14fe3

SHA256
9868637f89bad81c4c5e7ce224b3ea899cb9993dfb1a567262a7b16fd32299da

SHA512
7c7032d773f934430870e680bf58aebe22c69740cf433f05d79da961b071913d51d36ac00c0326224150e38aa63260686590d48d41c45811177f1c33de229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8E1AA\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8E1AA\ObjectRescue.Pro.v5.1.490.WinALL.Keygen.and.Patch-BRD_setup.exe

Filesize
180KB

MD5
30bde9c271b5749920c2da98bb0b8099

SHA1
ca8a97ef55224c91f3fa31d807679b6104ecf9a6

SHA256
b003d1d803ab3574734f7570ad5426d53851e091759cce7f7908861bf2febd1f

SHA512
ad1e622fd5171c38756070bfc7fb2137d0bc0b7a294e85700107bb031bf227bba3e675d4eb83e4d45551b0954d4e9aa44752f545a719b564d6a1002d541c6f57

Download Submit

Analysis

Sharing