e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862

Resubmissions

01/04/2023, 05:43

230401-ge1rcsgc39 8

01/04/2023, 05:42

01/04/2023, 04:26

01/04/2023, 02:49

01/04/2023, 02:31

01/04/2023, 02:27

Analysis

max time kernel
1191s
max time network
1203s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/04/2023, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drfone_setup_full3824 (1).exe
Size

2.2MB
MD5

ee06eafbe8972c749a5161e54d3fdcd6
SHA1

80f4197cf15c36acaf37a1ab8159ec4ab2368c26
SHA256

e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862
SHA512

116c7274a1adc3274c046dfdeaf8b187ec31d42dd523522e372b3ce05aada949c4a56856a4cf9c2dfaa2571c5ec62a7629e476d72e8259fa854cfa921b4f83c9
SSDEEP

49152:suI4s4xwYeRQXEEpusP5uKKNeEzo/I/P5jaYRTkTun99ZS6Y0fxfNrBFS:b2Q30rNeEzoiP5ja0397Sb0fxfNrfS

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2688	NFWCHK.exe

Loads dropped DLL 1 IoCs

pid	Process
1472	drfone_setup_full3824 (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	drfone_setup_full3824 (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	drfone_setup_full3824 (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	drfone_setup_full3824 (1).exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	drfone_setup_full3824 (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	drfone_setup_full3824 (1).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1472	drfone_setup_full3824 (1).exe
1472	drfone_setup_full3824 (1).exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2688	1472	drfone_setup_full3824 (1).exe	29
PID 1472 wrote to memory of 2688	1472	drfone_setup_full3824 (1).exe	29
PID 1472 wrote to memory of 2688	1472	drfone_setup_full3824 (1).exe	29
PID 1472 wrote to memory of 2688	1472	drfone_setup_full3824 (1).exe	29

C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe
"C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
24f07b4bc9688ce195258c3777239244

SHA1
59b6e47ba01c4ce0698adf88e30a632444bb2fe1

SHA256
00dcf836a18e7b5d7b806a2ed96dbac931070f44c5711c18ad686285726ea985

SHA512
24cbf741982b54df25f66c5f6ae026010e631c4750e16c442ff411b7fd164a1da5acca64c655331e22dbdfcfb3cd99f089043f22f8da101d44cc2e1ed2910701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
4KB

MD5
b166d4057cbabe3d01937cd988963e61

SHA1
e24c69780b01be05dcf8010eb1222d483ac163f3

SHA256
c7e8c1705af828d68dfb833c15f3619608ffb8e4f38f579427840c050fc20fa7

SHA512
0439c011896aecc478b314c5e93d0db1b300554dd2c614790f413ea611ae53db5194ce48c6639d26b5cdf3a8e691e901c68c7fedca7609d24ace9b4822a1e821

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
e3e4139f860a51d596e1edc262a388ac

SHA1
62a001a8fc75ec2785d70ddb7c8676d753b33ff0

SHA256
b76a0870e52202860146b51da9d91ec224ce137fae3737a2e88275dab6d825d4

SHA512
a2d24a4ae9708c8995d3d98558e72db945f6eddc25f9fbb26b7d77fb73c141972862d4bd984565ea9a3d7d9770f452af5652297e0a18a49654f5b61491405a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
e3e4139f860a51d596e1edc262a388ac

SHA1
62a001a8fc75ec2785d70ddb7c8676d753b33ff0

SHA256
b76a0870e52202860146b51da9d91ec224ce137fae3737a2e88275dab6d825d4

SHA512
a2d24a4ae9708c8995d3d98558e72db945f6eddc25f9fbb26b7d77fb73c141972862d4bd984565ea9a3d7d9770f452af5652297e0a18a49654f5b61491405a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
3KB

MD5
3cebbd6ed95177d36816eb42745470c6

SHA1
37f5739e8187d43bbf601d8e857d9aafda2a6179

SHA256
6088dc7ab9debb76c6fbf6c6c6b663d764f359a4409fa32d9f04d0acbd2d0c3b

SHA512
ccaad6d3e04c0ac2e8ae646a459a8a46c82d4c29b292c25092bf1c9b10b4e6fb404cbc9c0328f58751e82302f9c0fc784e494c569d3838490689fddbf85f70b4

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
memory/2688-1128-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/2688-1129-0x0000000001120000-0x0000000001128000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads