Analysis
-
max time kernel
450s -
max time network
577s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
05/12/2022, 19:26
General
-
Target
4395456f701bb04e5707f09656f54a16a29722d791b26063fee4ef6babb9fb56.exe
-
Size
72KB
-
MD5
0a3be690f5a4f3ce297daba61a2e3c76
-
SHA1
d10e35a2cadd78b01154340c0d7b4b04aefcbf8b
-
SHA256
4395456f701bb04e5707f09656f54a16a29722d791b26063fee4ef6babb9fb56
-
SHA512
aaa570c8c155e8ca00b3e056f6a58295277b439cccef8738722cf74df2c1702389b46baa6d4e4428e18ca053c6140857f92e081e2c9dd67eab9a7e66a6e63fa6
-
SSDEEP
384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2M:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 14 IoCs
-
Disables RegEdit via registry modification 28 IoCs
-
Executes dropped EXE 16 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4395456f701bb04e5707f09656f54a16a29722d791b26063fee4ef6babb9fb56.exe"C:\Users\Admin\AppData\Local\Temp\4395456f701bb04e5707f09656f54a16a29722d791b26063fee4ef6babb9fb56.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\3407755535\backup.exeC:\Users\Admin\AppData\Local\Temp\3407755535\backup.exe C:\Users\Admin\AppData\Local\Temp\3407755535\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\data.exe\data.exe \3⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\odt\backup.exeC:\odt\backup.exe C:\odt\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\PerfLogs\update.exeC:\PerfLogs\update.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Common Files\DESIGNER\backup.exe"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\Common Files\microsoft shared\backup.exe"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exeC:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD57daaeff247a772860bb53567fc666e66
SHA1fd87b66393b6c0b431577978f3818eb1454f0ae2
SHA2565e9fa7aba98a4aa648311fdb9ed566713e80756ff93e9f6ba7761ca8a2843228
SHA51269e3bf9e3ef508bbdf976c3e6e2ce760b4878960307ec21d276c50ce40c8bfe57983dcfdb036f7aa3a4ea0c3ebfd85d0344d0c3899665ccf85000edba3fd730e
-
Filesize
72KB
MD57daaeff247a772860bb53567fc666e66
SHA1fd87b66393b6c0b431577978f3818eb1454f0ae2
SHA2565e9fa7aba98a4aa648311fdb9ed566713e80756ff93e9f6ba7761ca8a2843228
SHA51269e3bf9e3ef508bbdf976c3e6e2ce760b4878960307ec21d276c50ce40c8bfe57983dcfdb036f7aa3a4ea0c3ebfd85d0344d0c3899665ccf85000edba3fd730e
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD5d66fc1b62c89bd2c5e590e46135a47ff
SHA11b1774a5055dec69c9bf2b962d0510094881fd8b
SHA25609d9874d2c780eb0d9bbd1c9f4d29a90a6eb5adb8aa24f0cb608ee0ff2df15bf
SHA51280bc3d407c27e5bb95caf159273b1509f68a6fe566ee1073bbb228837279166d3752743135b74107984b936954003ee272994c489edec8c7c8b3031a7e877285
-
Filesize
72KB
MD5d66fc1b62c89bd2c5e590e46135a47ff
SHA11b1774a5055dec69c9bf2b962d0510094881fd8b
SHA25609d9874d2c780eb0d9bbd1c9f4d29a90a6eb5adb8aa24f0cb608ee0ff2df15bf
SHA51280bc3d407c27e5bb95caf159273b1509f68a6fe566ee1073bbb228837279166d3752743135b74107984b936954003ee272994c489edec8c7c8b3031a7e877285
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD5d66fc1b62c89bd2c5e590e46135a47ff
SHA11b1774a5055dec69c9bf2b962d0510094881fd8b
SHA25609d9874d2c780eb0d9bbd1c9f4d29a90a6eb5adb8aa24f0cb608ee0ff2df15bf
SHA51280bc3d407c27e5bb95caf159273b1509f68a6fe566ee1073bbb228837279166d3752743135b74107984b936954003ee272994c489edec8c7c8b3031a7e877285
-
Filesize
72KB
MD5d66fc1b62c89bd2c5e590e46135a47ff
SHA11b1774a5055dec69c9bf2b962d0510094881fd8b
SHA25609d9874d2c780eb0d9bbd1c9f4d29a90a6eb5adb8aa24f0cb608ee0ff2df15bf
SHA51280bc3d407c27e5bb95caf159273b1509f68a6fe566ee1073bbb228837279166d3752743135b74107984b936954003ee272994c489edec8c7c8b3031a7e877285
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD5a83b0433f819c3ff1861d9aeb1ddcbe3
SHA1ff0b0b216565ba0c40d868cf98f9f8ed0f26da5b
SHA256d1c51508014bfcb8400b0406e8e5f6032b9eb985237ea44b35505be615cbf08c
SHA51285792e07c2ae4e5d981acb4754d1a269f4a6d29c102da72493a69a56c27b9909de3128f95c51663c243a66ac62d24eca293525b663f4ff9e667c00d660891a6b
-
Filesize
72KB
MD52d70fffcc9cb3fd81c6ec00efa73b6d2
SHA1cef7bece77a3503a1d077298a8ec2a6134e17546
SHA25606330508e16a69e0974acaec63bf8a49f337228968253fdfe6f14a789256103c
SHA5128a990e4c2383af6cf1a1aaa23a35439ee825eec46923dd18a52f601e0cf44918e8f03e8fc071258449fd8806f680628fed6b1dc6e33b5326441d83bf85465b6c
-
Filesize
72KB
MD52d70fffcc9cb3fd81c6ec00efa73b6d2
SHA1cef7bece77a3503a1d077298a8ec2a6134e17546
SHA25606330508e16a69e0974acaec63bf8a49f337228968253fdfe6f14a789256103c
SHA5128a990e4c2383af6cf1a1aaa23a35439ee825eec46923dd18a52f601e0cf44918e8f03e8fc071258449fd8806f680628fed6b1dc6e33b5326441d83bf85465b6c
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5f1f2294ab5494e839cf14af5c2535915
SHA19a5fac1466d448294f606da01e4df5e64473c065
SHA2560342f44388f19cc7740de72a49169aab4c07d11f300860b624309761f8f5f53b
SHA512e74c635fe62c431634e5510ed467b35b9fb3c42d210bf0026e1007a81102894df79e7f32139076b1bce581950f1400897ad5ab4ed3330af93d5657376f02166d
-
Filesize
72KB
MD5f1f2294ab5494e839cf14af5c2535915
SHA19a5fac1466d448294f606da01e4df5e64473c065
SHA2560342f44388f19cc7740de72a49169aab4c07d11f300860b624309761f8f5f53b
SHA512e74c635fe62c431634e5510ed467b35b9fb3c42d210bf0026e1007a81102894df79e7f32139076b1bce581950f1400897ad5ab4ed3330af93d5657376f02166d
-
Filesize
72KB
MD5505e527deaf4da6cb90ba13d0c39acc1
SHA1074851e49163c593278ecb5ba4e896a19f511716
SHA256c58ea735b0fd7e4cf063103fcb86c58f4ea401214c06211a54516ac13f529e40
SHA512a4a35406407413c0413e2439380a74c67aefa98a6b2c41e70c82be6c210b189047e53eebc2dbc5a59ce2bf342e483a5125052e0fc01905f21b6fb1fb0082035c
-
Filesize
72KB
MD5505e527deaf4da6cb90ba13d0c39acc1
SHA1074851e49163c593278ecb5ba4e896a19f511716
SHA256c58ea735b0fd7e4cf063103fcb86c58f4ea401214c06211a54516ac13f529e40
SHA512a4a35406407413c0413e2439380a74c67aefa98a6b2c41e70c82be6c210b189047e53eebc2dbc5a59ce2bf342e483a5125052e0fc01905f21b6fb1fb0082035c
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD5353f342a6a20ea38732ffc3941b43a77
SHA171265fc8086c6f89486e75270d658524a42d06a2
SHA2567f2dbdc49a517010a82a71a6c8b345cf3e0de41a919a9812567d01574d33decd
SHA512d0c350afac0d834fa3b71bf9c90bd04ab2d9542f36da862989f1ca4e6c29d52f9c3f81554b5d2ce0d24e619666b3defb1a413b8d8c0292fb10cd72fa664b9228
-
Filesize
72KB
MD54e18563f43198305b47f76ca3a86492b
SHA1184ed4ad1c683926415994a81a510047802e5a46
SHA25647ccf821e53837b713c642f6e07f62c540e4dc7afcd43a7fc02b68d68da82c14
SHA51204221a8dd040572997304d226f3004538a8192da42567801925354b5cd734b6b92d362e2251a4dca710dbefb68ca49cbd775ce5f5909a0a03dac1cb13320b2b5
-
Filesize
72KB
MD54e18563f43198305b47f76ca3a86492b
SHA1184ed4ad1c683926415994a81a510047802e5a46
SHA25647ccf821e53837b713c642f6e07f62c540e4dc7afcd43a7fc02b68d68da82c14
SHA51204221a8dd040572997304d226f3004538a8192da42567801925354b5cd734b6b92d362e2251a4dca710dbefb68ca49cbd775ce5f5909a0a03dac1cb13320b2b5
-
Filesize
72KB
MD556345cc3589156ba099e7ad6a41714e6
SHA11a64a4f4d7ca16b9ed620423ab914fbb08fd3117
SHA25628262012ea4aeb9512a4f5d2a10ef3b0e1c7fb3ec71595450791616c0b54e27e
SHA5126c522a6cd2a926b02a92644eee0d9a562cc84ca5206dc074dcb5d819d514ab257cc6774e5467861c57a5072b39743ae7ffdcb1fd6cdac583867d6f78291a394d
-
Filesize
72KB
MD556345cc3589156ba099e7ad6a41714e6
SHA11a64a4f4d7ca16b9ed620423ab914fbb08fd3117
SHA25628262012ea4aeb9512a4f5d2a10ef3b0e1c7fb3ec71595450791616c0b54e27e
SHA5126c522a6cd2a926b02a92644eee0d9a562cc84ca5206dc074dcb5d819d514ab257cc6774e5467861c57a5072b39743ae7ffdcb1fd6cdac583867d6f78291a394d
-
Filesize
72KB
MD51f859c194dfa31a233e16505d2b3e7e8
SHA1d25abd37e4ba8bdcc59fbd908a36766865369e7a
SHA256c4b9e37e83f327b74d4db065d2387e8aca864760e35513db4b30a141b4eba717
SHA51248857e96d9dc119203861721d95ff0b56b71348bcee5245a119b42b910f4f0b03f93054db9cd50b2c548a9fffe3000d6eed836de6d051de7b4d8fdeb7aa0c269
-
Filesize
72KB
MD51f859c194dfa31a233e16505d2b3e7e8
SHA1d25abd37e4ba8bdcc59fbd908a36766865369e7a
SHA256c4b9e37e83f327b74d4db065d2387e8aca864760e35513db4b30a141b4eba717
SHA51248857e96d9dc119203861721d95ff0b56b71348bcee5245a119b42b910f4f0b03f93054db9cd50b2c548a9fffe3000d6eed836de6d051de7b4d8fdeb7aa0c269