Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24-03-2023 20:26

General

  • Target

    Lightroom_Set-Up.exe

  • Size

    2.8MB

  • MD5

    6bb8c91c81fb2d72cf3df3cace1edb6d

  • SHA1

    421d30308ad14ae4d2ce0b6fd513070d141610e6

  • SHA256

    8202ac434e2ef9f4555556a7b73dd8b9f63c61b4ff1efe5817a627219a287e47

  • SHA512

    dae3a245425770d93aa927e99acd9b277cf2205f443644af9ac1f8ab4a29ae914fa468b235b3260debeebcdf0facf406d2a6d641a5e5a1b026dc8f82b1cb3d33

  • SSDEEP

    49152:S51Z7F25DNGy3g9lRC8mk62yFjqGAuf75pqjf8jJPfs/kfwMflf0hchZgtyQr:S515F2W+8ClgduD59fVfwM/aV

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lightroom_Set-Up.exe
    "C:\Users\Admin\AppData\Local\Temp\Lightroom_Set-Up.exe"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{62278473-A68A-4246-B4C7-A10E58320594}\CCDInstaller.js
    Filesize

    1.2MB

    MD5

    18d4529e99a898e41b49178111edc235

    SHA1

    2d15cc2c4cae620db158024a29407351878526ab

    SHA256

    13c952c9dab374ee2ef3de41f2ab5f9d1b488f94f5400498e69bb18bc68bc00b

    SHA512

    e35a072f6aaae8ac111a1b9377d6f86fc47f6064860f07a73b3c8831b4ce4f3d159c5005ce72983a05e3607946a3e42c5803fd2ee5b4b42a7d13511c1abf1341

  • C:\Users\Admin\AppData\Local\Temp\{62278473-A68A-4246-B4C7-A10E58320594}\index.html
    Filesize

    426B

    MD5

    a28ab17b18ff254173dfeef03245efd0

    SHA1

    c6ce20924565644601d4e0dd0fba9dde8dea5c77

    SHA256

    886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

    SHA512

    9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

  • memory/836-77-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-79-0x0000000000B30000-0x0000000000B31000-memory.dmp
    Filesize

    4KB

  • memory/836-111-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-137-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-141-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-144-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-147-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB

  • memory/836-150-0x00000000012B0000-0x0000000001BF3000-memory.dmp
    Filesize

    9.3MB