Analysis
-
max time kernel
147s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/03/2023, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
cbSetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cbSetup.exe
Resource
win10v2004-20230220-en
General
-
Target
cbSetup.exe
-
Size
18.8MB
-
MD5
d2ee7a77cb0ca70c873ce55687f85df4
-
SHA1
75d570fccdcad3cf8a3c12c223068077a8cdbe9f
-
SHA256
9ec08d76e4b810de2c3cbc7bd90787cc462deb0accc6996cab2394ab261c7154
-
SHA512
0fc476155a4f7b0c2cff202bda1ec96779b91203a69b3f33bc81943406d568fbf3908a5172ae056d9a583ed64d948d7ab4d980d95b3d69f66595c6866ab768de
-
SSDEEP
393216:feCldVSCRpNH2UJxdvOf8SlfQ/1ChZPB926WmEtZcvMhC0II+:2CldwYWUQf8XN2v8+E3cvM8I+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1924 cbSetupI.exe -
Loads dropped DLL 3 IoCs
pid Process 932 cbSetup.exe 1924 cbSetupI.exe 1924 cbSetupI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1924 cbSetupI.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27 PID 932 wrote to memory of 1924 932 cbSetup.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbSetup.exe"C:\Users\Admin\AppData\Local\Temp\cbSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\Cobian_Backup_11\cbSetupI.exe"C:\Users\Admin\AppData\Local\Temp\Cobian_Backup_11\cbSetupI.exe" "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1924
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD539c89fa8be425804173803a7a83a0bb9
SHA1509433338e73ef0a75a0a93c5e5ad5259e5b66d0
SHA25636b224b14272969b0ec3cd2dbc7eb6db9310c406c7e6418c6c5fd8cac233e62a
SHA512b3b3c0f6263be680d6b9aaaba94169525fa88bf78054da495e35676099dd04914e5f2474986743312327e95877b86a7b5b6b3362a9b98bd334de0c41488375e7
-
Filesize
87KB
MD52fce4744e2a675b2a3ee4a630139fe1f
SHA1ab0055ce13a7737407a7dcc33a2f9e897dde0cd2
SHA2561bfa160dddac2ad84cd9b95d5f5dd279b9630c678a6a7606781a7633e93302f6
SHA51215d23108c0e864acb9e166efe0f6a0c989363643e1267a01bffae3ec335c2fe24fb6323c4cb8386f3b44355232ccd8b5c40465c96908aeda26c4c12d9c4e076a
-
Filesize
2KB
MD5394b71d5be906737f7dae3fda89cbf9f
SHA10164d2e79a2e566d1df292abf25741d1d1bab6c0
SHA2560ff51bbb01c6493f52a43bef5a862ab105b287dc1356081eba16e9567d1c5e46
SHA512bfe880458b6b6616cfe1a97d4c8033c35dd4584fc82edba9a55ce8f8a7fd2212c2954084bc92e570bf16f6ee7a12b00bf644e3c2d92e6fa149097ca9b72856c1
-
Filesize
1021KB
MD5839fc1c600c76689ef0009015a94f130
SHA1bb5e784b7df15958ff6f57e9b2015a2454da8418
SHA25660b0760f80d06975ad89a4508da6b035f302407ebcd6873ac6bf1c93624f0125
SHA5126b18ca992b10d55905252461e871bace0b0e02a62cf377ba9e4a51b21751c83f31ad2cb1d861f19978750004dcdd7249788f35bc64cf60ac230f2a3d920bed0a
-
Filesize
1.4MB
MD51405ca134c2b41efcb9e7381e945a8cc
SHA19673bc6b45563c2e32babbe60d4329861891b7b8
SHA25660ba85a1170d52a439fda22eea9ef4c8100dc6190aa40ce16c2c6614dbd1fbf7
SHA512ee91604134d1e392903b377ccd7091e29dba93070212067b448db6eb207bdf2946a71b269d20a0853bd52ebff8028ac61801783f1c54a4c0eb8dc9d11beb0c45
-
Filesize
1.4MB
MD51405ca134c2b41efcb9e7381e945a8cc
SHA19673bc6b45563c2e32babbe60d4329861891b7b8
SHA25660ba85a1170d52a439fda22eea9ef4c8100dc6190aa40ce16c2c6614dbd1fbf7
SHA512ee91604134d1e392903b377ccd7091e29dba93070212067b448db6eb207bdf2946a71b269d20a0853bd52ebff8028ac61801783f1c54a4c0eb8dc9d11beb0c45
-
Filesize
311KB
MD5cabf1a359fc4d9a7529b7985fbf1e8e4
SHA135c40f2fcb89066dadcb4c2746c015ed87f8337e
SHA256b2c72ebb0e928eaf8ac32a47f54664ad3e6b3fe63608f743cd8d563c10110432
SHA512e46d8ac23e54e386922e534e5450c42242a1f8ddc75b16399bd1b130ebd09ae78787f497b96e9f0dea966baaf7a7810a30824333bddc69af642deb2bea9b9778
-
Filesize
1021KB
MD5839fc1c600c76689ef0009015a94f130
SHA1bb5e784b7df15958ff6f57e9b2015a2454da8418
SHA25660b0760f80d06975ad89a4508da6b035f302407ebcd6873ac6bf1c93624f0125
SHA5126b18ca992b10d55905252461e871bace0b0e02a62cf377ba9e4a51b21751c83f31ad2cb1d861f19978750004dcdd7249788f35bc64cf60ac230f2a3d920bed0a
-
Filesize
1.4MB
MD51405ca134c2b41efcb9e7381e945a8cc
SHA19673bc6b45563c2e32babbe60d4329861891b7b8
SHA25660ba85a1170d52a439fda22eea9ef4c8100dc6190aa40ce16c2c6614dbd1fbf7
SHA512ee91604134d1e392903b377ccd7091e29dba93070212067b448db6eb207bdf2946a71b269d20a0853bd52ebff8028ac61801783f1c54a4c0eb8dc9d11beb0c45
-
Filesize
311KB
MD5cabf1a359fc4d9a7529b7985fbf1e8e4
SHA135c40f2fcb89066dadcb4c2746c015ed87f8337e
SHA256b2c72ebb0e928eaf8ac32a47f54664ad3e6b3fe63608f743cd8d563c10110432
SHA512e46d8ac23e54e386922e534e5450c42242a1f8ddc75b16399bd1b130ebd09ae78787f497b96e9f0dea966baaf7a7810a30824333bddc69af642deb2bea9b9778