805224152e3498356300d6b536c2052aee8a31150a0f4481e10fb0bd1f55e9bc

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Advanced SystemCare Ultimate 16.1.0.16 Multilingual/asc-ultimate-setup.exe
Size

113.4MB
MD5

c7b9560dddfa8436769c5162770ef870
SHA1

7b2ff2731e3966c66b9c5625e67f0aa0a3432fd7
SHA256

8d908e4a84c02e78b5a686d23495911dc8890a1390fa53257d1c086cc1f73586
SHA512

8d704012508116bbee90aff7d7573fcecd0daad48bd06531f258ecc90d2569fec475bbcc670ba5a2e8aab6fc683e57619d98b9a091891b3dcc8883e52df62ad6
SSDEEP

3145728:bpcxWk8OLHSygLsWURNbzy6TLf4T0OttvrWA0p:Db54WUPbzRD4TlSA0p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

asc-ultimate-setup.tmpSetup.exe

pid process

1312 asc-ultimate-setup.tmp
1452 Setup.exe

pid	process
1312	asc-ultimate-setup.tmp
1452	Setup.exe

Loads dropped DLL 6 IoCs

Processes:

asc-ultimate-setup.exeasc-ultimate-setup.tmp

pid	process
1316	asc-ultimate-setup.exe
1312	asc-ultimate-setup.tmp
1312	asc-ultimate-setup.tmp
1312	asc-ultimate-setup.tmp
1312	asc-ultimate-setup.tmp
1312	asc-ultimate-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

1452 Setup.exe
1452 Setup.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Setup.exe

pid process

1452 Setup.exe
1452 Setup.exe
1452 Setup.exe
1452 Setup.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Setup.exe

pid process

1452 Setup.exe
1452 Setup.exe
1452 Setup.exe
1452 Setup.exe

pid	process
1452	Setup.exe
1452	Setup.exe

pid	process
1452	Setup.exe
1452	Setup.exe
1452	Setup.exe
1452	Setup.exe

pid	process
1452	Setup.exe
1452	Setup.exe
1452	Setup.exe
1452	Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

asc-ultimate-setup.exeasc-ultimate-setup.tmp

description	pid	process	target process
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1316 wrote to memory of 1312	1316	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe
PID 1312 wrote to memory of 1452	1312	asc-ultimate-setup.tmp	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\is-3DEJD.tmp\asc-ultimate-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3DEJD.tmp\asc-ultimate-setup.tmp" /SL5="$80022,118347133,137216,C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe" /InnoSetup "C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3DEJD.tmp\asc-ultimate-setup.tmp
Filesize
1.2MB

MD5
6ff5b536aec6f2d7a0fac8ad7582e4e9

SHA1
91fb5762d75a2f029d01cdd5a11931a708225e4b

SHA256
075530d514250142495f5f0bf0ce4cb0421817f37e838474878d4a01ccc2ce77

SHA512
555cc85d6efb8424a2b58781c9701e7018fb1507ed30331f549550cf86f89e608d335cecba1237039c943b65ae1053df4de3dc6ed118d91124a727e0d4834abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Advanced SystemCare\Main.ini
Filesize
67B

MD5
0d4a84c7bdaf457fbc8424f68cc180be

SHA1
4c95cee221c2006b53b847a15128e7e260869b17

SHA256
fb65eab2737e80dbec712cc04764980b4bf9f26360c5cb8a4608aa42c057e0dd

SHA512
46e9939c1e07fccd5bb8a420b39bc18d853ec01edb02afd905c3c6199a7b3ca250582aa627d8a0e5c5e0c342b0dfe40df12c66246d959c59ec7fc5b37abb3211

Download Submit
\Users\Admin\AppData\Local\Temp\is-3DEJD.tmp\asc-ultimate-setup.tmp
Filesize
1.2MB

MD5
6ff5b536aec6f2d7a0fac8ad7582e4e9

SHA1
91fb5762d75a2f029d01cdd5a11931a708225e4b

SHA256
075530d514250142495f5f0bf0ce4cb0421817f37e838474878d4a01ccc2ce77

SHA512
555cc85d6efb8424a2b58781c9701e7018fb1507ed30331f549550cf86f89e608d335cecba1237039c943b65ae1053df4de3dc6ed118d91124a727e0d4834abc

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMSDC.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1312-88-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1312-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1316-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1316-54-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1452-92-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1452-95-0x0000000004540000-0x0000000004580000-memory.dmp

Filesize
256KB

Download
memory/1452-114-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1452-115-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1452-117-0x0000000004540000-0x0000000004580000-memory.dmp

Filesize
256KB

Download