d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081

General

Target

d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe
Size

1.4MB
MD5

77ea6cc405cebaf57f8c4f2b385352ee
SHA1

7a099464d202d7f924431055d0b458977331781a
SHA256

d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081
SHA512

e79d3571c99539dfc4520414bfb0bd8b7eaeeb488d1dcfbf7d862cdf08f04119c41c3963b1f2d335eb2279beb35820c9560d9cb7e1651615c59c36343bfe4d34
SSDEEP

24576:f6rT6MWBBO8WPJcsi01hig7vRiezjbaVTfLbSIfm8xBZQdfqCzB:fCEUJcsiFovEAjbaVmIfdBkfZd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1288	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1288	Setup.exe
1288	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27
PID 1436 wrote to memory of 1288	1436	d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe	27

C:\Users\Admin\AppData\Local\Temp\d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe
"C:\Users\Admin\AppData\Local\Temp\d88bf715a8bd65fc5bdf7b024e779856955211a272207746eb3969a59cc39081.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Licence\LSI - Logo.png

Filesize
56KB

MD5
fba2571b389058c250f28eb78e0f82ea

SHA1
c3f987c2818d87db823e3a9a08e27efa8830e6e5

SHA256
43b94248818e80eeac3b706905a22f492133ae28a574eb3983bc2ff84da1ec59

SHA512
9861515ccadb814371daf6621168c4c771059431d27b010cb161e30a7c71df9aa7b7e1590438cb9215f015d484b897d5c657cff9394c2073b8bfe07cb044bc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Licence\Licence.htm

Filesize
5KB

MD5
8013284a8546ed5f570fac16ae545da8

SHA1
629fa061fff45c25de57b455f3bb92876d83ef52

SHA256
83f93ca28ec4c2b4349a051bdc235efea26f89a4e40bc3beb930806694b352d1

SHA512
71238297b527d99142c45b3cc5308b089cbf13f2e52c9539e39a814024eb38a98b5fa87adc21d1fbcf2ce7450615f75d5e16f8c334e00ec040239c03b2fc97f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lng-Setup\Francais.Txt

Filesize
5KB

MD5
3ddfbf4390575a24df724a82b6cc4ca7

SHA1
a56ba4c3d623ee6dfce613c59299ced3e5bc6d20

SHA256
c2fbd18ecb43a23af1afda1f4bb6f2fb80d655d020d6dfaa959b008bf6472fef

SHA512
83ed96757a17658f54c24f9a6d0d167b758bab2805ea28b98abdd594ae7aa5fadca91064d5f45661b355017f1ccd8fd9841723f793b16d31abbd4b18fc7bea47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup+.lsip

Filesize
152B

MD5
d40b2e061a0f8c8ac567c50a88e2a7f1

SHA1
927bf2006dd1639faa5f797cefe0919ea0e1cf9a

SHA256
f946e353a23ec5c4ceb625074eb52e33646b8fdb5fc65cfdd521161810904039

SHA512
c1e2bd68e4779d3fadc5b669e6469400e45d4bf5a007b2fc6862ff092ab136e9259aff1eac37fd80852591e530a7f25c68a9825cd809a0796d9f1905eedbe369

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
318KB

MD5
296e1f67b2431f50abb486acd0208cde

SHA1
a8e2846b3e56257d940254b99d542ebf60065737

SHA256
dcd8c659b612de0b6786fba70d4635992020a289000eb8c8f19c0458c092cf47

SHA512
55e6534544628eb42f32df0d4e1fed96d87f0cd20e09205a0da28a4df2ac1b69a112f127fd9e3f2541e2d2bfa2d93cfd69b06850457c3d078d1ba5b60aea864b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
318KB

MD5
296e1f67b2431f50abb486acd0208cde

SHA1
a8e2846b3e56257d940254b99d542ebf60065737

SHA256
dcd8c659b612de0b6786fba70d4635992020a289000eb8c8f19c0458c092cf47

SHA512
55e6534544628eb42f32df0d4e1fed96d87f0cd20e09205a0da28a4df2ac1b69a112f127fd9e3f2541e2d2bfa2d93cfd69b06850457c3d078d1ba5b60aea864b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.lsip

Filesize
570B

MD5
008b7d73c986f37b37042b407ab85fe2

SHA1
704b09f7475736d75856152eb91c3d48f5fe81bd

SHA256
bba6a29607e6b1b5d24dadb73c3c64b1165a4cf05aec6bd8ae0039bafcb0f720

SHA512
38e083f0c47b2733ae80b462c4c8240ba880a40908e9087109889862aa9aee1167b6d09dad21fa8f06690841661990a0f7545a6a1c82f005a5ec97fc57dced53

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
318KB

MD5
296e1f67b2431f50abb486acd0208cde

SHA1
a8e2846b3e56257d940254b99d542ebf60065737

SHA256
dcd8c659b612de0b6786fba70d4635992020a289000eb8c8f19c0458c092cf47

SHA512
55e6534544628eb42f32df0d4e1fed96d87f0cd20e09205a0da28a4df2ac1b69a112f127fd9e3f2541e2d2bfa2d93cfd69b06850457c3d078d1ba5b60aea864b

Download Submit
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing