Overview
overview
3Static
static
1processhac...in.zip
windows10-1703-x64
1x64/ProcessHacker.exe
windows10-1703-x64
1x64/kproce...er.exe
windows10-1703-x64
x64/peview.exe
windows10-1703-x64
3x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...ns.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...ls.dll
windows10-1703-x64
1x64/plugin...ks.dll
windows10-1703-x64
1x64/plugin...rt.dll
windows10-1703-x64
1x64/plugin...us.dll
windows10-1703-x64
1x64/plugin...er.dll
windows10-1703-x64
1x64/plugin...es.dll
windows10-1703-x64
1x64/plugin...er.dll
windows10-1703-x64
1x86/ProcessHacker.exe
windows10-1703-x64
1x86/kproce...er.exe
windows10-1703-x64
x86/peview.exe
windows10-1703-x64
3x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...ns.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...ls.dll
windows10-1703-x64
1x86/plugin...ks.dll
windows10-1703-x64
1x86/plugin...rt.dll
windows10-1703-x64
1x86/plugin...us.dll
windows10-1703-x64
1x86/plugin...er.dll
windows10-1703-x64
1x86/plugin...es.dll
windows10-1703-x64
1x86/plugin...er.dll
windows10-1703-x64
1Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01-03-2023 03:03
Static task
static1
Behavioral task
behavioral1
Sample
processhacker-2.39-bin.zip
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
x64/ProcessHacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
x64/kprocesshacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
x64/peview.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
x64/plugins/DotNetTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
x64/plugins/ExtendedNotifications.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
x64/plugins/ExtendedServices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
x64/plugins/ExtendedTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
x64/plugins/HardwareDevices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
x64/plugins/NetworkTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
x64/plugins/OnlineChecks.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
x64/plugins/SbieSupport.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
x64/plugins/ToolStatus.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
x64/plugins/Updater.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
x64/plugins/UserNotes.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
x64/plugins/WindowExplorer.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
x86/ProcessHacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
x86/kprocesshacker.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
x86/peview.exe
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
x86/plugins/DotNetTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
x86/plugins/ExtendedNotifications.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
x86/plugins/ExtendedServices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
x86/plugins/ExtendedTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
x86/plugins/HardwareDevices.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
x86/plugins/NetworkTools.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
x86/plugins/OnlineChecks.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
x86/plugins/SbieSupport.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
x86/plugins/ToolStatus.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
x86/plugins/Updater.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
x86/plugins/UserNotes.dll
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
x86/plugins/WindowExplorer.dll
Resource
win10-20230220-en
windows10-1703-x64
General
-
Target
x86/peview.exe
-
Size
204KB
-
MD5
711be6337cb78a948f04759a0bd210ce
-
SHA1
20c48d7dc881d2066d7702e98796eb2024c77ca9
-
SHA256
41967c3ee8b8e2416ddb3e82d8df1219365a7b180138ca8c3256192794e5f8ff
-
SHA512
b29c3907ceabab08d75cecc926764d54c857a4aca5728c514753c5c60ee8db061c6811c8ff0f83bf52b498325f3ddc180edf5ca91e691476ee79dd4423e99910
-
SSDEEP
3072:2u/fuFdRj5OJJMCTut5mK4o03KmDxfcpjs7LrV40iAAjViZ0W1mBiX/DF+jQC:2u/fOjuJMCCMKP+x4jsveNgvm
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff peview.exe Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell peview.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 peview.exe Set value (int) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 peview.exe Set value (data) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags peview.exe Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance peview.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3704 peview.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3704 peview.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5974e1a0053da1f9e7084acdf0ce07009
SHA13185a28f831bf91fb8b3b7608860f83688426b21
SHA256d1eae90c076ea6d4fe860afc350ced8da4a54bbdc32cfbb73c03e0160159e5e3
SHA512ed8ef0451664c972c44eaefe85ff3305c7245caddbd72b70da77a6e0c23f377e2daa8229ff958f9e695bc82a8e54388161f70a35a2e1318dc78389d4c0a31916