Overview

overview

10

Static

static

1

PowerBI ti....4.exe

windows7-x64

7

PowerBI ti....4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2023 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PowerBI tips Business Ops Setup 3.0.4.exe

  • Size

    525.8MB

  • MD5

    ceabe8661ec16fa125098bfd4cea1b23

  • SHA1

    295b1b946bddf5366c7a1c886a5738b8fbfa8813

  • SHA256

    2b3fa61129683f095d1e148a02d8783489e11553e4fb710a70e5b7f763917522

  • SHA512

    a9d70b6c40122083dc993f70f7fdf8560f1a3cd3522aaed7dca19243e3da16b93b72fbba290c8a24cc909a0f25204a0796e0d6338e12e253857c84b3a08110f6

  • SSDEEP

    12582912:Dgn00M6JgmlXDzVmljR3MN+ceOgBCOZKCVVE/+YxqummrFY5qgaqUAQ2BzpAPhEf:8n7+m9GjR8N+ce2mKCVC/nmd5qpYzVf

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PowerBI tips Business Ops Setup 3.0.4.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerBI tips Business Ops Setup 3.0.4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\DaxStudio.QueryTrace.Excel.dll.config
    Filesize

    278B

    MD5

    68399b53b17068b9fd58f0866be0df36

    SHA1

    aec4f07cefdad8854d3f002f40f3149b90e06e69

    SHA256

    0d1c657e0d50639011f2bc384e360070a32a369a8c75b2534261893f5184077e

    SHA512

    09966b246837b73647fd199062884b4691e2837d955901c2df61933930469cd96dad07253e2f283cbea7e213ac43fa4b7679be51769cb654f3e7e7a28196dd42

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\Newtonsoft.Json.dll
    Filesize

    683KB

    MD5

    6815034209687816d8cf401877ec8133

    SHA1

    1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

    SHA256

    7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

    SHA512

    3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Data_Marc\model-documenterV2\app\System.Net.Http.dll
    Filesize

    84KB

    MD5

    cfaedd3de549e3cb02f8bb77a28bc076

    SHA1

    859c5f82a2fc22a6bcfbee92b841761a1b5b08b2

    SHA256

    cb1b1ac1c1a435f7ea7ee75914aa7bb1324bfafb7910d8c814db62a77b09ffa0

    SHA512

    d0cb88b8a6e6b27c159d609069ac4c586e0236dd0721c8c51e7e64202a17fda3084d0c035da8009162f8a00d20ef70f3b296c00b3096e87ab1819fe0e276956d

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.AdomdClient.dll
    Filesize

    1.1MB

    MD5

    0803d402716365bfccc612fe270a82b7

    SHA1

    2b3cd9200465d788e8500982c90398c7c831331a

    SHA256

    e28bf785a287f8bcad8f42a415d8a92514c89ce6f893df3149173ca70e6b4ce6

    SHA512

    b02c08e1d8a448111fdea098f5893101ad8d7e0702dae8ac4612589fc66a341be066083a8b6d4e21f0f449434e1b08d2d7281772842bb3a3e54f9d1a8eb2ea34

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Core.dll
    Filesize

    1.4MB

    MD5

    d7d71fc93effe1a7ee26df3d91a53396

    SHA1

    1b21e44eff40afb9b3c360d821289b56611012a4

    SHA256

    c71c8d1d6616cdf29ab2cd0d6984bc652ae44611156c1275b268ff48ddbb512c

    SHA512

    01ee5b5e7fd5de3b1bb690898f10643e83a880db9988eda396400295a529595bf601a9f6d83555a67aba6290658e89c6d41821086104ef699799d477789cc5f8

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.SPClient.Interfaces.dll
    Filesize

    29KB

    MD5

    8f1b8d355d07594287c67f93f8875712

    SHA1

    a1dfb9f3c3ded7d549d0036aff4f78ae6fafeffd

    SHA256

    3280381cb8127e818b20817210bd51ee0d2f89e25366db9a262f2cc746305b26

    SHA512

    9b55b7198ee821b2c2d998cc14494ec6be2f71ce53269ae828be8c20771c46eb5531cf72e968d3e4dafb0e1993941dbdb34cb87b217da7c95a6213cb193c9833

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Tabular.Json.dll
    Filesize

    547KB

    MD5

    64a8698baaaa3e291ecdee959a77bf3c

    SHA1

    0a070a7060f7aad60a02cace39d86ec721915840

    SHA256

    0237c578afc10222120281e45861f22d476568143d178edaf6f42b8e3d6b0c3f

    SHA512

    6c30c235975245559d7f1871c04282b62aad3aaf42bc04cf2dbf4d90f676a12aa0525851fd27ae5269f13778e096d3374037c8506662258cda1f575561a61238

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Tabular.dll
    Filesize

    1.2MB

    MD5

    7b920de3a5c597cc4a955c6037ba7255

    SHA1

    0d207b4bf91b72033f289bd6de68e3ffba1a1fdc

    SHA256

    2a1b1325a6221db2e4167c09861c0ba424727e89612c4500bfa47d96749da412

    SHA512

    8ff20d39ff8fd998bfce5412131dfd882a9d21509d735689bd584585335990235413993a4bafb98f84f27e11568289d73a0e3c43e9f3ae9c24426579d50eaf50

    Download Submit
  • C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.dll
    Filesize

    677KB

    MD5

    44a6c3dc63fedafe91ff98a269c7a0b9

    SHA1

    3707e4c80d7287e4e19c44729137d2413fcb36b3

    SHA256

    3495cb74ff5519c5ece1fc1530225e15d7a99bc032e21ec2bf622e5363598e24

    SHA512

    df3f45a82e84af294a7f9653b63f34b079f13bf259110f09b6c77981500a3d918507074baacfbebc1a3eb06a5f3b130206ebfa6a4064117625a6e29f7d3d8bfb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\SpiderBanner.dll
    Filesize

    9KB

    MD5

    17309e33b596ba3a5693b4d3e85cf8d7

    SHA1

    7d361836cf53df42021c7f2b148aec9458818c01

    SHA256

    996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    SHA512

    1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\StdUtils.dll
    Filesize

    100KB

    MD5

    c6a6e03f77c313b267498515488c5740

    SHA1

    3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    SHA256

    b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    SHA512

    9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\WinShell.dll
    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsj6A88.tmp\nsis7z.dll
    Filesize

    424KB

    MD5

    80e44ce4895304c6a3a831310fbf8cd0

    SHA1

    36bd49ae21c460be5753a904b4501f1abca53508

    SHA256

    b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    SHA512

    c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
    Filesize

    105.6MB

    MD5

    f22316d4e8b55654093791b128d6150a

    SHA1

    ca335e13258c2cff8d48f130a5da75472e75abd2

    SHA256

    e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

    SHA512

    7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\SpiderBanner.dll
    Filesize

    9KB

    MD5

    17309e33b596ba3a5693b4d3e85cf8d7

    SHA1

    7d361836cf53df42021c7f2b148aec9458818c01

    SHA256

    996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    SHA512

    1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\StdUtils.dll
    Filesize

    100KB

    MD5

    c6a6e03f77c313b267498515488c5740

    SHA1

    3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    SHA256

    b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    SHA512

    9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\WinShell.dll
    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\WinShell.dll
    Filesize

    3KB

    MD5

    1cc7c37b7e0c8cd8bf04b6cc283e1e56

    SHA1

    0b9519763be6625bd5abce175dcc59c96d100d4c

    SHA256

    9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    SHA512

    7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj6A88.tmp\nsis7z.dll
    Filesize

    424KB

    MD5

    80e44ce4895304c6a3a831310fbf8cd0

    SHA1

    36bd49ae21c460be5753a904b4501f1abca53508

    SHA256

    b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    SHA512

    c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    Download Submit
  • memory/1716-4421-0x0000000003430000-0x0000000003432000-memory.dmp
    Filesize

    8KB

    Download