708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe
Size

1.4MB
MD5

32ce5f8d9663f68f483234710a78d76c
SHA1

b55f78c6d9b4d3345dce297f4c86f3f6916a7142
SHA256

708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce
SHA512

619c5318fd706f47871fefcd6fcf1c2d9ba8b72555f4516bf3380ff368b4d98a9943c761e340723d987b3e21e781aac26bc5de80f4cff4e722e150767bbc09bd
SSDEEP

24576:a2exuQwFkusEYRm85q5hLMH7m4J0RkFvuceI+QdAeK4JJS1aM75l5UEHM6a723:a2WuQwFkfd5wx27RGRkFmcR+QpJJS1aG

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1892	is-MRB65.tmp
1124	pgk80.exe

Loads dropped DLL 5 IoCs

pid	Process
1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe
1892	is-MRB65.tmp
1892	is-MRB65.tmp
1892	is-MRB65.tmp
1892	is-MRB65.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PGK Disk Master\is-OMAFI.tmp	is-MRB65.tmp
File created	C:\Program Files (x86)\PGK Disk Master\is-N5JVV.tmp	is-MRB65.tmp
File opened for modification	C:\Program Files (x86)\PGK Disk Master\unins000.dat	is-MRB65.tmp
File opened for modification	C:\Program Files (x86)\PGK Disk Master\pgk80.exe	is-MRB65.tmp
File created	C:\Program Files (x86)\PGK Disk Master\unins000.dat	is-MRB65.tmp
File created	C:\Program Files (x86)\PGK Disk Master\is-2JD4L.tmp	is-MRB65.tmp
File created	C:\Program Files (x86)\PGK Disk Master\is-3T8LU.tmp	is-MRB65.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
988	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1280 wrote to memory of 1892	1280	708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe	28
PID 1892 wrote to memory of 1124	1892	is-MRB65.tmp	29
PID 1892 wrote to memory of 1124	1892	is-MRB65.tmp	29
PID 1892 wrote to memory of 1124	1892	is-MRB65.tmp	29
PID 1892 wrote to memory of 1124	1892	is-MRB65.tmp	29
PID 1124 wrote to memory of 1980	1124	pgk80.exe	32
PID 1124 wrote to memory of 1980	1124	pgk80.exe	32
PID 1124 wrote to memory of 1980	1124	pgk80.exe	32
PID 1124 wrote to memory of 1980	1124	pgk80.exe	32
PID 1980 wrote to memory of 988	1980	cmd.exe	34
PID 1980 wrote to memory of 988	1980	cmd.exe	34
PID 1980 wrote to memory of 988	1980	cmd.exe	34
PID 1980 wrote to memory of 988	1980	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe
"C:\Users\Admin\AppData\Local\Temp\708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\is-ECFJ3.tmp\is-MRB65.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ECFJ3.tmp\is-MRB65.tmp" /SL4 $60124 "C:\Users\Admin\AppData\Local\Temp\708646ce274fd52d6072ac2336154cf26911eeadce2a6a16b4f7188f16de5bce.exe" 1236784 75264
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Program Files (x86)\PGK Disk Master\pgk80.exe
    "C:\Program Files (x86)\PGK Disk Master\pgk80.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "pgk80.exe" /f & erase "C:\Program Files (x86)\PGK Disk Master\pgk80.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "pgk80.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PGK Disk Master\pgk80.exe

Filesize
1.7MB

MD5
665fb3d17194eceb3a25580c93e1bf42

SHA1
71d55572014c535bb25aa1d6488abba51fbfc1bf

SHA256
13315641daa5e7ab5efeb6dfd11d1db099e36ae7548edd38d00c1bafb97cbc0a

SHA512
85e6cdd5a0e7983bcb390298bf0e6670bd27a953400b75305085d32750505a80ecb9d5d0c69b2d8623b140ecf582bda24595eca7ad3c0faa88d6b50ac1c10edc

Download Submit
C:\Program Files (x86)\PGK Disk Master\pgk80.exe

Filesize
1.7MB

MD5
665fb3d17194eceb3a25580c93e1bf42

SHA1
71d55572014c535bb25aa1d6488abba51fbfc1bf

SHA256
13315641daa5e7ab5efeb6dfd11d1db099e36ae7548edd38d00c1bafb97cbc0a

SHA512
85e6cdd5a0e7983bcb390298bf0e6670bd27a953400b75305085d32750505a80ecb9d5d0c69b2d8623b140ecf582bda24595eca7ad3c0faa88d6b50ac1c10edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ECFJ3.tmp\is-MRB65.tmp

Filesize
679KB

MD5
505b95543234ddc4ea7ab8c5985c18b9

SHA1
48f4462b0f83d1b76bba97ffdfe0e751e7c88f1e

SHA256
a9ea02770c0e21b72d8dc996f76c8b17669f9a4cad6cd6a63b5120ad7d14110b

SHA512
df655b9882fbff0396faf7a3804bd7418fffc1f62abf7ad7b59469ce52d8b832b15fed7adc0746d1fce8ff2a5fe5628ee9e2269ef1fcd39d05258d627ff16de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ECFJ3.tmp\is-MRB65.tmp

Filesize
679KB

MD5
505b95543234ddc4ea7ab8c5985c18b9

SHA1
48f4462b0f83d1b76bba97ffdfe0e751e7c88f1e

SHA256
a9ea02770c0e21b72d8dc996f76c8b17669f9a4cad6cd6a63b5120ad7d14110b

SHA512
df655b9882fbff0396faf7a3804bd7418fffc1f62abf7ad7b59469ce52d8b832b15fed7adc0746d1fce8ff2a5fe5628ee9e2269ef1fcd39d05258d627ff16de4

Download Submit
\Program Files (x86)\PGK Disk Master\pgk80.exe

Filesize
1.7MB

MD5
665fb3d17194eceb3a25580c93e1bf42

SHA1
71d55572014c535bb25aa1d6488abba51fbfc1bf

SHA256
13315641daa5e7ab5efeb6dfd11d1db099e36ae7548edd38d00c1bafb97cbc0a

SHA512
85e6cdd5a0e7983bcb390298bf0e6670bd27a953400b75305085d32750505a80ecb9d5d0c69b2d8623b140ecf582bda24595eca7ad3c0faa88d6b50ac1c10edc

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECFJ3.tmp\is-MRB65.tmp

Filesize
679KB

MD5
505b95543234ddc4ea7ab8c5985c18b9

SHA1
48f4462b0f83d1b76bba97ffdfe0e751e7c88f1e

SHA256
a9ea02770c0e21b72d8dc996f76c8b17669f9a4cad6cd6a63b5120ad7d14110b

SHA512
df655b9882fbff0396faf7a3804bd7418fffc1f62abf7ad7b59469ce52d8b832b15fed7adc0746d1fce8ff2a5fe5628ee9e2269ef1fcd39d05258d627ff16de4

Download Submit
\Users\Admin\AppData\Local\Temp\is-RDQ6E.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-RDQ6E.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RDQ6E.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1124-75-0x0000000000400000-0x00000000013BE000-memory.dmp

Filesize
15.7MB

Download
memory/1124-73-0x0000000000400000-0x00000000013BE000-memory.dmp

Filesize
15.7MB

Download
memory/1124-78-0x0000000000400000-0x00000000013BE000-memory.dmp

Filesize
15.7MB

Download
memory/1124-71-0x0000000000400000-0x00000000013BE000-memory.dmp

Filesize
15.7MB

Download
memory/1124-72-0x0000000000400000-0x00000000013BE000-memory.dmp

Filesize
15.7MB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-64-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1280-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1280-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1892-74-0x0000000002FE0000-0x0000000003F9E000-memory.dmp

Filesize
15.7MB

Download
memory/1892-70-0x0000000002FE0000-0x0000000003F9E000-memory.dmp

Filesize
15.7MB

Download