bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4

Analysis

max time kernel
169s
max time network
64s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe
Size

1.7MB
MD5

d0cf4a34959b60e2811c612a9005d67f
SHA1

9a3f6386d389b9e90935eb3e4922a3dd5c67ecc4
SHA256

bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4
SHA512

c6195f647f1d34cb18bf17a6c7a1c9c0285fe67d658fb42261e7b720f960d3aaf71ade9f52276bd55d875c9cd3233dd2885b6af0ee1f12bc9cf80444f17577cd
SSDEEP

49152:Ghpa04tCZTYPWRX7gGqo3gwgQWGvhYtFN:WpJTY8Lglo3jgnGvhUb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1536	focusmagic302.exe
916	is-PTHMC.tmp
1444	tish.exe

Loads dropped DLL 13 IoCs

pid	Process
1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe
1536	focusmagic302.exe
1536	focusmagic302.exe
1536	focusmagic302.exe
916	is-PTHMC.tmp
916	is-PTHMC.tmp
916	is-PTHMC.tmp
916	is-PTHMC.tmp
1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe
1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe
1444	tish.exe
1444	tish.exe
1444	tish.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
916	is-PTHMC.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1332 wrote to memory of 1536	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	28
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1536 wrote to memory of 916	1536	focusmagic302.exe	29
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30
PID 1332 wrote to memory of 1444	1332	bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe	30

C:\Users\Admin\AppData\Local\Temp\bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe
"C:\Users\Admin\AppData\Local\Temp\bfbaf4d497c3df1f35954afc9fe982e18fca24de805381796ba4596d66ef56e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe
  "C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\is-2JKLP.tmp\is-PTHMC.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2JKLP.tmp\is-PTHMC.tmp" /SL4 $70124 "C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe" 1524922 52736
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:916
- C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe
  "C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2JKLP.tmp\is-PTHMC.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2JKLP.tmp\is-PTHMC.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe

Filesize
1.7MB

MD5
056054e7dd92aa1e0ddecbeb7d9e35ca

SHA1
c0f0c20a548e6eb0a714fb75293604048025087e

SHA256
8a955f8d0054ddb65239263d9d0d127c21df1771ccbf277cc3b31a9a53a7dd10

SHA512
87e6d16934ff1471035eda476d0ac2e3edef058dc21f57dff429207b735026f7f67873862bb5f9e207d6dacd5c02cf1a4e01a4a3d57897d3c4cc72fd2100254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe

Filesize
1.7MB

MD5
056054e7dd92aa1e0ddecbeb7d9e35ca

SHA1
c0f0c20a548e6eb0a714fb75293604048025087e

SHA256
8a955f8d0054ddb65239263d9d0d127c21df1771ccbf277cc3b31a9a53a7dd10

SHA512
87e6d16934ff1471035eda476d0ac2e3edef058dc21f57dff429207b735026f7f67873862bb5f9e207d6dacd5c02cf1a4e01a4a3d57897d3c4cc72fd2100254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\is-2JKLP.tmp\is-PTHMC.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
\Users\Admin\AppData\Local\Temp\is-R5HC0.tmp\InstallPlugin.dll

Filesize
64KB

MD5
ea3aa1c32c0bfa9871232a1226a630da

SHA1
83950609113231367249fc235366e45d3bd01dff

SHA256
10dd9612af692f8816a3ef7b004f51c6411902db11b23150dd3ea86fefeb48be

SHA512
1d68f6b8eae4d18a819ae0d91d5d572c434d6fae6f64156c9ee2a03feea9e7601a3e95e13d00250adb15fdac219ddd739cd0287dec220253ae2cc729e2f5f391

Download Submit
\Users\Admin\AppData\Local\Temp\is-R5HC0.tmp\Setup.dll

Filesize
44KB

MD5
9ca37d41a622671d3a8033f5e72c4762

SHA1
9a34cd7098b722f654327fb92cb7e8f9b7adb0c1

SHA256
f55971b59a13a3db5d1a722dee824ebdb71602e6d00d3a61b58323e7295fad53

SHA512
813aa7495ef69497421a0904796824e9a26d35f0a3d2a48f3d475204207d104eb42cc14d8475db55d5c78fdb8469a1643c9e9e2b41b11d3b642018e2657dd885

Download Submit
\Users\Admin\AppData\Local\Temp\is-R5HC0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-R5HC0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe

Filesize
1.7MB

MD5
056054e7dd92aa1e0ddecbeb7d9e35ca

SHA1
c0f0c20a548e6eb0a714fb75293604048025087e

SHA256
8a955f8d0054ddb65239263d9d0d127c21df1771ccbf277cc3b31a9a53a7dd10

SHA512
87e6d16934ff1471035eda476d0ac2e3edef058dc21f57dff429207b735026f7f67873862bb5f9e207d6dacd5c02cf1a4e01a4a3d57897d3c4cc72fd2100254e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe

Filesize
1.7MB

MD5
056054e7dd92aa1e0ddecbeb7d9e35ca

SHA1
c0f0c20a548e6eb0a714fb75293604048025087e

SHA256
8a955f8d0054ddb65239263d9d0d127c21df1771ccbf277cc3b31a9a53a7dd10

SHA512
87e6d16934ff1471035eda476d0ac2e3edef058dc21f57dff429207b735026f7f67873862bb5f9e207d6dacd5c02cf1a4e01a4a3d57897d3c4cc72fd2100254e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\focusmagic302.exe

Filesize
1.7MB

MD5
056054e7dd92aa1e0ddecbeb7d9e35ca

SHA1
c0f0c20a548e6eb0a714fb75293604048025087e

SHA256
8a955f8d0054ddb65239263d9d0d127c21df1771ccbf277cc3b31a9a53a7dd10

SHA512
87e6d16934ff1471035eda476d0ac2e3edef058dc21f57dff429207b735026f7f67873862bb5f9e207d6dacd5c02cf1a4e01a4a3d57897d3c4cc72fd2100254e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAE4C.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
memory/916-73-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1332-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1536-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1536-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download