c404a6b3e21e286e08b43afcc0ea834dd10cae1e09b0b372d056d8262a8f799b

Analysis

max time kernel
80s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FabFilter Total Bundle v2020.05.18 WIN/Setup FabFilter Total Bundle v2020.05.18.exe
Size

34.7MB
MD5

210b1ca457126bc2ae64c444efdd4fd7
SHA1

371713fb69fecc495e435db6ceb4b2f057ae39c1
SHA256

23770671feaf22bac335c523c15e875d89c80af6c6edb6294e134bedc4b4f823
SHA512

0e289cf570f35f2cefe6fcafb932eceae484a399f643b4631c8a1886c004b89b224b9d0db4d6d78538f675a40cc39c5c775298595ef61f977caeff569ee11112
SSDEEP

786432:BYu125JawuvFYRrQDXyW66yCsX0q+WpAgW2nHH11gQxeh:uuIHkviRrgiL6ybB79n11gQsh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4760	Setup FabFilter Total Bundle v2020.05.18.tmp

Loads dropped DLL 5 IoCs

pid	Process
4760	Setup FabFilter Total Bundle v2020.05.18.tmp
4760	Setup FabFilter Total Bundle v2020.05.18.tmp
4760	Setup FabFilter Total Bundle v2020.05.18.tmp
4760	Setup FabFilter Total Bundle v2020.05.18.tmp
4760	Setup FabFilter Total Bundle v2020.05.18.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\FabFilter\Pro-L 2\FabFilter Pro-L 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-G\is-O1I8T.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-R\is-EDCM4.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Volcano 2\is-BOFS5.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-Q 3\is-M1ML9.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-R\is-IJ33C.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Saturn 2\is-3UUA2.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Simplon\is-SU928.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\One\FabFilter One.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Timeless 2\FabFilter Timeless 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\is-LN5OB.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\One\is-03QVC.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Timeless 2\is-D84IK.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Twin 2\is-I7DF5.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-MB\FabFilter Pro-MB.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-DS\is-1V5CK.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Twin 2\is-09PN6.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-MB\is-6JNTR.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Timeless 2\is-2AUCR.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Volcano 2\FabFilter Volcano 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\One\is-JMF5I.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-DS\is-KHM2P.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-L 2\is-91S8P.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\is-6P8NB.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-C 2\is-01HFP.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-G\is-UGIRM.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-MB\is-T8GNF.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Micro\FabFilter Micro.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-DS\FabFilter Pro-DS.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Saturn 2\FabFilter Saturn 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Twin 2\FabFilter Twin 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-Q 3\FabFilter Pro-Q 3.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-C 2\FabFilter Pro-C 2.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Volcano 2\is-JS27D.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\unins000.dat	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-C 2\is-EHNR1.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-L 2\is-JLVUQ.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Simplon\is-0P93E.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-R\FabFilter Pro-R.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Pro-G\FabFilter Pro-G.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Micro\is-BF3HN.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Micro\is-ESDHP.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Saturn 2\is-MLTH2.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File opened for modification	C:\Program Files\FabFilter\Simplon\FabFilter Simplon.chm	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\unins000.dat	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\is-ECD06.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp
File created	C:\Program Files\FabFilter\Pro-Q 3\is-VHT8N.tmp	Setup FabFilter Total Bundle v2020.05.18.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4760	Setup FabFilter Total Bundle v2020.05.18.tmp
4760	Setup FabFilter Total Bundle v2020.05.18.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4760	Setup FabFilter Total Bundle v2020.05.18.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	Setup FabFilter Total Bundle v2020.05.18.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4760	4356	Setup FabFilter Total Bundle v2020.05.18.exe	84
PID 4356 wrote to memory of 4760	4356	Setup FabFilter Total Bundle v2020.05.18.exe	84
PID 4356 wrote to memory of 4760	4356	Setup FabFilter Total Bundle v2020.05.18.exe	84

C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2020.05.18 WIN\Setup FabFilter Total Bundle v2020.05.18.exe
"C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2020.05.18 WIN\Setup FabFilter Total Bundle v2020.05.18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\is-FKOGH.tmp\Setup FabFilter Total Bundle v2020.05.18.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FKOGH.tmp\Setup FabFilter Total Bundle v2020.05.18.tmp" /SL5="$801AE,35976789,407040,C:\Users\Admin\AppData\Local\Temp\FabFilter Total Bundle v2020.05.18 WIN\Setup FabFilter Total Bundle v2020.05.18.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-43V20.tmp\ISSKINU.DLL

Filesize
357KB

MD5
f30afccd6fafc1cad4567ada824c9358

SHA1
60a65b72f208563f90fba0da6af013a36707caa9

SHA256
e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d

SHA512
59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-43V20.tmp\ISSKINU.DLL

Filesize
357KB

MD5
f30afccd6fafc1cad4567ada824c9358

SHA1
60a65b72f208563f90fba0da6af013a36707caa9

SHA256
e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d

SHA512
59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-43V20.tmp\R2RINNO.dll

Filesize
4KB

MD5
0f8bbab51c5f70093b7ed7dd825d68e8

SHA1
a96809560b3e9001124083937a339cf2453a94c8

SHA256
7fc4fa7f5cea34df0a6733527081886cfb1c49b369df2db454de87cc4e70bdb5

SHA512
7b824ad5d7ec786535106d98bc80c9350f35ac2b76d7ee20163e90becf076dfeaca4732c0ecbe2d3d84a2efef337c380d5548ca0123e69e66e30bb396f0b9b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-43V20.tmp\SKIN.CJSTYLES

Filesize
813KB

MD5
5f87caf3f7cf63dde8e6af53bdf31289

SHA1
a2c3cc3d9d831acd797155b667db59a32000d7a8

SHA256
4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940

SHA512
4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-43V20.tmp\SKIN.CJSTYLES

Filesize
813KB

MD5
5f87caf3f7cf63dde8e6af53bdf31289

SHA1
a2c3cc3d9d831acd797155b667db59a32000d7a8

SHA256
4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940

SHA512
4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FKOGH.tmp\Setup FabFilter Total Bundle v2020.05.18.tmp

Filesize
1.4MB

MD5
efca76c8036622c459a97a29fb999a4e

SHA1
bf3f1aa664942f03fd8458f49a5fb92853ef836c

SHA256
ad1b2414bd9bb475b2b6bdfea72c9be4cca50544ecffdd7298e9b47a2a01ceff

SHA512
f051a1d32e0b39cac89d5de91802b70e81d5aba8e10601b0540f5bf0579b446f3080408cc39884508e390b58715c9a69b98e3575e9adc7ecde7e72b95b3c9636

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FKOGH.tmp\Setup FabFilter Total Bundle v2020.05.18.tmp

Filesize
1.4MB

MD5
efca76c8036622c459a97a29fb999a4e

SHA1
bf3f1aa664942f03fd8458f49a5fb92853ef836c

SHA256
ad1b2414bd9bb475b2b6bdfea72c9be4cca50544ecffdd7298e9b47a2a01ceff

SHA512
f051a1d32e0b39cac89d5de91802b70e81d5aba8e10601b0540f5bf0579b446f3080408cc39884508e390b58715c9a69b98e3575e9adc7ecde7e72b95b3c9636

Download Submit
memory/4356-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4760-180-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

Filesize
908KB

Download
memory/4760-185-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-156-0x0000000075CA0000-0x0000000075D1A000-memory.dmp

Filesize
488KB

Download
memory/4760-157-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-158-0x0000000075CA0000-0x0000000075D1A000-memory.dmp

Filesize
488KB

Download
memory/4760-159-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-160-0x0000000075CA0000-0x0000000075D1A000-memory.dmp

Filesize
488KB

Download
memory/4760-161-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-162-0x0000000075CA0000-0x0000000075D1A000-memory.dmp

Filesize
488KB

Download
memory/4760-163-0x0000000076550000-0x0000000076575000-memory.dmp

Filesize
148KB

Download
memory/4760-164-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-165-0x0000000075CA0000-0x0000000075D1A000-memory.dmp

Filesize
488KB

Download
memory/4760-167-0x0000000074850000-0x0000000074880000-memory.dmp

Filesize
192KB

Download
memory/4760-166-0x0000000076550000-0x0000000076575000-memory.dmp

Filesize
148KB

Download
memory/4760-168-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-169-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-170-0x0000000076550000-0x0000000076575000-memory.dmp

Filesize
148KB

Download
memory/4760-171-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-172-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-173-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

Filesize
908KB

Download
memory/4760-174-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-175-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-176-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-177-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-178-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-179-0x0000000075D20000-0x0000000075DFC000-memory.dmp

Filesize
880KB

Download
memory/4760-147-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-181-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-182-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-183-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-184-0x00000000754D0000-0x0000000075544000-memory.dmp

Filesize
464KB

Download
memory/4760-150-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-186-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-187-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-188-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-189-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-191-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-190-0x00000000754D0000-0x0000000075544000-memory.dmp

Filesize
464KB

Download
memory/4760-192-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-193-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-194-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-195-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-197-0x00000000754D0000-0x0000000075544000-memory.dmp

Filesize
464KB

Download
memory/4760-198-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-199-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-196-0x0000000076550000-0x0000000076575000-memory.dmp

Filesize
148KB

Download
memory/4760-200-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-201-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-203-0x00000000754D0000-0x0000000075544000-memory.dmp

Filesize
464KB

Download
memory/4760-202-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-204-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-206-0x0000000075D20000-0x0000000075DFC000-memory.dmp

Filesize
880KB

Download
memory/4760-205-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-207-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

Filesize
908KB

Download
memory/4760-208-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-209-0x0000000075B70000-0x0000000075C1F000-memory.dmp

Filesize
700KB

Download
memory/4760-210-0x0000000075550000-0x0000000075760000-memory.dmp

Filesize
2.1MB

Download
memory/4760-211-0x00000000754D0000-0x0000000075544000-memory.dmp

Filesize
464KB

Download
memory/4760-212-0x0000000074690000-0x00000000747B2000-memory.dmp

Filesize
1.1MB

Download
memory/4760-213-0x0000000007490000-0x00000000074F1000-memory.dmp

Filesize
388KB

Download
memory/4760-214-0x0000000076580000-0x0000000076B33000-memory.dmp

Filesize
5.7MB

Download
memory/4760-294-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4760-138-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download