Overview

overview

8

Static

static

1

drfone_set...1).exe

windows10-1703-x64

8

Resubmissions

01/04/2023, 05:43

230401-ge1rcsgc39 8

01/04/2023, 05:42

230401-gejg3sgc36 7

01/04/2023, 04:26

230401-e2jegsfh69 8

01/04/2023, 02:49

230401-dbh6csgh41 8

01/04/2023, 02:31

230401-czqdxagg7v 8

01/04/2023, 02:27

230401-cxvwlsfd87 8

Analysis

  • max time kernel
    1799s
  • max time network
    1602s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/04/2023, 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    drfone_setup_full3824 (1).exe

  • Size

    2.2MB

  • MD5

    ee06eafbe8972c749a5161e54d3fdcd6

  • SHA1

    80f4197cf15c36acaf37a1ab8159ec4ab2368c26

  • SHA256

    e5e57cc01f94cd129db4fd88860253c0936cb2612a734cb176924ddfa3ffb862

  • SHA512

    116c7274a1adc3274c046dfdeaf8b187ec31d42dd523522e372b3ce05aada949c4a56856a4cf9c2dfaa2571c5ec62a7629e476d72e8259fa854cfa921b4f83c9

  • SSDEEP

    49152:suI4s4xwYeRQXEEpusP5uKKNeEzo/I/P5jaYRTkTun99ZS6Y0fxfNrBFS:b2Q30rNeEzoiP5ja0397Sb0fxfNrfS

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824 (1).exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
      C:\Users\Public\Documents\Wondershare\NFWCHK.exe
      2⤵
      • Executes dropped EXE
      PID:4536
    • C:\Users\Public\Documents\Wondershare\drfone_full3824.exe
      "C:\Users\Public\Documents\Wondershare\drfone_full3824.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\Admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files (x86)\Wondershare\drfone\" /DIR="C:\Program Files (x86)\Wondershare\drfone\" /WAEWIN=80048 /PID=3824
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\Temp\is-75CHS.tmp\drfone_full3824.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-75CHS.tmp\drfone_full3824.tmp" /SL5="$501DC,309495938,673280,C:\Users\Public\Documents\Wondershare\drfone_full3824.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\Admin\AppData\Local\Temp\WAE-drfone.log" /installpath: "C:\Program Files (x86)\Wondershare\drfone\" /DIR="C:\Program Files (x86)\Wondershare\drfone\" /WAEWIN=80048 /PID=3824
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\ProcessKiller.exe
          "C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\ProcessKiller.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log
    Filesize

    496B

    MD5

    aecd9774318851b4cdb42385f93f4a25

    SHA1

    8ce6f5148acf0a60a2e7c87de5785072cbe550d1

    SHA256

    7977a6cc8381852d489d0bc29efcc5b905135ae4cdf866aacabe25ae6c692c7a

    SHA512

    b507712f412d5bac6664ab150d52ed17eeb21bdd4d8f36a302435c34d67da614d45789c619f031ccdd7a755a345e479bcb1dede07d102606bcab73e620e22ab6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log
    Filesize

    4KB

    MD5

    8ee47114b4ba46934aa31fe7cff7bf85

    SHA1

    a8f8747804bf42492a7fd306b335d30b0708a973

    SHA256

    071eb8f954f4c7ee7e97c220ed17e387ee1dd4bf911984b53e7142201596afc1

    SHA512

    fb7ff3a62af2ac2ae9ea19d80d2e78adc87285c609d87355c7e8d8efb3c02972f53dd9f69af29f0215453350b65c721917433b95b4a8456393e0817addaeb6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-75CHS.tmp\drfone_full3824.tmp
    Filesize

    1.7MB

    MD5

    192369ebd80fb01ccfc585d8043bf733

    SHA1

    3d77774e3159cd0c277e5bb6b68493df2eeaf038

    SHA256

    b8828f657fe052ddce0db320d08e619e316eaf3853d09272f1a5c7bd850ac8f3

    SHA512

    042c1710d8330449086e7e1ff952d2102e07985628cf4f1e96de25a62045038e6381d8ea1ce5ef43c31e265fc04a9553c67b1864f487d271e620c0c509d80ea2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-75CHS.tmp\drfone_full3824.tmp
    Filesize

    1.7MB

    MD5

    192369ebd80fb01ccfc585d8043bf733

    SHA1

    3d77774e3159cd0c277e5bb6b68493df2eeaf038

    SHA256

    b8828f657fe052ddce0db320d08e619e316eaf3853d09272f1a5c7bd850ac8f3

    SHA512

    042c1710d8330449086e7e1ff952d2102e07985628cf4f1e96de25a62045038e6381d8ea1ce5ef43c31e265fc04a9553c67b1864f487d271e620c0c509d80ea2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-75CHS.tmp\drfone_full3824.tmp
    Filesize

    1.7MB

    MD5

    192369ebd80fb01ccfc585d8043bf733

    SHA1

    3d77774e3159cd0c277e5bb6b68493df2eeaf038

    SHA256

    b8828f657fe052ddce0db320d08e619e316eaf3853d09272f1a5c7bd850ac8f3

    SHA512

    042c1710d8330449086e7e1ff952d2102e07985628cf4f1e96de25a62045038e6381d8ea1ce5ef43c31e265fc04a9553c67b1864f487d271e620c0c509d80ea2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\Customization.xml
    Filesize

    102KB

    MD5

    482ffbac9483f0e49537026160beb28d

    SHA1

    cf70b8e7982abf823a6792e14c4c49b4d7e20f95

    SHA256

    98ddf774d0b890965410326670b1a9797bc85aeb24fb4ebfe0286ceca3ff8122

    SHA512

    cf20a41e94281374a91bf92c281152a12234763a8cca01d94eac46a0c55c6a70416700a0108306a7d98a71808839918d5919bebd75620b526dddc73cdcd907dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\ProcessKiller.exe
    Filesize

    10KB

    MD5

    50e2db9f1096b0c80873ee6341a4fbc2

    SHA1

    1d3d506314796d480bdf6a9de99246960cbc7b3f

    SHA256

    708bc1ab44f30a8a96c769acbea936a9bd9758523252a6c71da0e3ed0c678390

    SHA512

    1de5ddf3750fab23c9d026cb3b8b1fbe481da1d37f1bbb7ae9ed7cc724d8dfd728f16700529259a48fd5db6a1533615bd58d7034d856a09edea3082bcef541c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\ProcessKiller.exe
    Filesize

    10KB

    MD5

    50e2db9f1096b0c80873ee6341a4fbc2

    SHA1

    1d3d506314796d480bdf6a9de99246960cbc7b3f

    SHA256

    708bc1ab44f30a8a96c769acbea936a9bd9758523252a6c71da0e3ed0c678390

    SHA512

    1de5ddf3750fab23c9d026cb3b8b1fbe481da1d37f1bbb7ae9ed7cc724d8dfd728f16700529259a48fd5db6a1533615bd58d7034d856a09edea3082bcef541c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\ProcessKiller.exe.config
    Filesize

    580B

    MD5

    aa08c8fa940b0850cd84af85278351d7

    SHA1

    00c117b369f86c9d4f18d54c4dda460c63d4c173

    SHA256

    569218463823b1d489f51b76993cbe77aa61be7fe3b1e567f2bf1760af014bbe

    SHA512

    84071521004cca1eca0a33739723a0210a11e08446f405b8215d4974d647abb7a5f25f4f6fdbcededa8515703aeda753eba995e37c2ca4094dba2eb334b0d2cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\is-FB6QA.tmp
    Filesize

    10KB

    MD5

    50e2db9f1096b0c80873ee6341a4fbc2

    SHA1

    1d3d506314796d480bdf6a9de99246960cbc7b3f

    SHA256

    708bc1ab44f30a8a96c769acbea936a9bd9758523252a6c71da0e3ed0c678390

    SHA512

    1de5ddf3750fab23c9d026cb3b8b1fbe481da1d37f1bbb7ae9ed7cc724d8dfd728f16700529259a48fd5db6a1533615bd58d7034d856a09edea3082bcef541c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    945B

    MD5

    e76c48a8604320ad28bd517752ffb7ac

    SHA1

    a51b3c4e553d7d7284849900ce39e51216234345

    SHA256

    0a4eb48d665e4f585c0fb6767082fe23cf693b1e3df3de84861bf5452f664011

    SHA512

    24e1cb021b7c52f7f1f423ecfb445f2648af377ae0148637a24d9a47fac465c846df3a89229ba4f0a35ce08551bf93ea1481a7295ecaaa297d04cb253861f050

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    4KB

    MD5

    886d08f64ead645fac557a00b6db8058

    SHA1

    13a317ea83e14eede7b2d91f9f362474c1c1888c

    SHA256

    705b9edb68cb923cfddb189eb4a203633d5e27c39e45266a673f876dcfff3520

    SHA512

    98bb39649d33d36f7dd08ee420f8d1d3ebc044bd1063e0b5588d14340678b0c3a3755ac4d2a3fe29396d7d4685777b3d91e31bf6f881159882c96bca9111b434

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wsduilib.log
    Filesize

    6KB

    MD5

    0aa8397c4669d7a0e1d2637d39e54d70

    SHA1

    8aee8fe62cb265f0ca31c25aae45feb4b7273ef0

    SHA256

    69e2049db2da2262df8619453b253b1962e578ca6a053482acabfba5d9fd77ab

    SHA512

    8a1530d4d526e5b75ede5e66560bafe2ac6d88a6bc31a20043a93868c5e259beeb7370faf7eec3dd2d5b7662b6430ddce8d62951b68c9310622723b2002d6f7d

    Download Submit

  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    Filesize

    7KB

    MD5

    27cfb3990872caa5930fa69d57aefe7b

    SHA1

    5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

    SHA256

    43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

    SHA512

    a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

    Download Submit

  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    Filesize

    7KB

    MD5

    27cfb3990872caa5930fa69d57aefe7b

    SHA1

    5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

    SHA256

    43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

    SHA512

    a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

    Download Submit

  • C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
    Filesize

    229B

    MD5

    ad0967a0ab95aa7d71b3dc92b71b8f7a

    SHA1

    ed63f517e32094c07a2c5b664ed1cab412233ab5

    SHA256

    9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

    SHA512

    85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

    Download Submit

  • C:\Users\Public\Documents\Wondershare\drfone_full3824.exe
    Filesize

    296.3MB

    MD5

    81305532cb0c94e23bc23cd8f7074861

    SHA1

    f867ebdd38e12f217465df852af9d461a74256c6

    SHA256

    2debe80b3688b2a2645b99b746688989eb2814f3aeaa0339d8706ac6f5a9d195

    SHA512

    f3e5deb524d79b6bb237acefac3d1fbfe43a00abbc6aa4455a9c5b0002136379fa411b8851a3df2bfe9c2a6d358bdd4fed890823ab8c8b79412993b3e11d9ea0

    Download Submit

  • C:\Users\Public\Documents\Wondershare\drfone_full3824.exe
    Filesize

    296.3MB

    MD5

    81305532cb0c94e23bc23cd8f7074861

    SHA1

    f867ebdd38e12f217465df852af9d461a74256c6

    SHA256

    2debe80b3688b2a2645b99b746688989eb2814f3aeaa0339d8706ac6f5a9d195

    SHA512

    f3e5deb524d79b6bb237acefac3d1fbfe43a00abbc6aa4455a9c5b0002136379fa411b8851a3df2bfe9c2a6d358bdd4fed890823ab8c8b79412993b3e11d9ea0

    Download Submit

  • C:\Users\Public\Documents\Wondershare\drfone_full3824.exe.~P2S
    Filesize

    296.3MB

    MD5

    81305532cb0c94e23bc23cd8f7074861

    SHA1

    f867ebdd38e12f217465df852af9d461a74256c6

    SHA256

    2debe80b3688b2a2645b99b746688989eb2814f3aeaa0339d8706ac6f5a9d195

    SHA512

    f3e5deb524d79b6bb237acefac3d1fbfe43a00abbc6aa4455a9c5b0002136379fa411b8851a3df2bfe9c2a6d358bdd4fed890823ab8c8b79412993b3e11d9ea0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\UpdateIcon.dll
    Filesize

    45KB

    MD5

    2aa5d7ac4c9fc121934dec64da362af0

    SHA1

    b37ecc61d70d536779fec87d5c482a9fe4a71e3c

    SHA256

    9c7b3dbd9dc03b59bdbeaf21649d9de7ccb909f50054244315e54f92e14f6612

    SHA512

    3f366f2981d764ef7e19e2e99a1d8e80a2558c650573d4f5f9f633920d3726cae741892a01400e19e9d7716941c29fa51860cacbcbde6b359aecfb2ffe1d1f62

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\UpdateIcon.dll
    Filesize

    45KB

    MD5

    2aa5d7ac4c9fc121934dec64da362af0

    SHA1

    b37ecc61d70d536779fec87d5c482a9fe4a71e3c

    SHA256

    9c7b3dbd9dc03b59bdbeaf21649d9de7ccb909f50054244315e54f92e14f6612

    SHA512

    3f366f2981d764ef7e19e2e99a1d8e80a2558c650573d4f5f9f633920d3726cae741892a01400e19e9d7716941c29fa51860cacbcbde6b359aecfb2ffe1d1f62

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-PPOHH.tmp\WSUtilities.dll
    Filesize

    188KB

    MD5

    a0cefe160f504402b5148580c5b912bf

    SHA1

    3b6c9641a7b2edff1b60bd55b8eeb7c34eab8aee

    SHA256

    4333dae45b166e2ec59c49a46ff6abe3342d9191ebafda9b53803e639e33f1d1

    SHA512

    a9e9fff977c3e365caf0a5351b07319502a22f6ddf34267e9d77b171dbdce82d6cfb6bb49b7ba4b5c6966d97c3630ff2944a96f32c26819e43ed85b4f15f862d

    Download Submit

  • memory/1812-2788-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1812-2764-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1812-2767-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1812-2768-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1812-2794-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/4508-2793-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4508-2789-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-2867-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-2841-0x0000000004C10000-0x0000000004C1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4508-2801-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4508-2868-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4508-2869-0x0000000004C10000-0x0000000004C1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4508-2906-0x0000000004C10000-0x0000000004C1E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4508-3152-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4508-3173-0x0000000000400000-0x00000000005B4000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4536-1200-0x000000001BBB0000-0x000000001BBF9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4536-1202-0x000000001C1B0000-0x000000001C67E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4536-1194-0x00000000005A0000-0x00000000005A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4536-1195-0x0000000002600000-0x0000000002624000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4536-1646-0x000000001CBD0000-0x000000001CC0E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4536-1645-0x000000001BB30000-0x000000001BB38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4536-1203-0x000000001C720000-0x000000001C7BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4536-1196-0x000000001B3A0000-0x000000001B3B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4536-1201-0x000000001BC70000-0x000000001BCD2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4536-1199-0x0000000002670000-0x0000000002680000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-1198-0x000000001B400000-0x000000001B70E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4536-1197-0x000000001B3E0000-0x000000001B400000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5048-2834-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5048-2833-0x00000000002D0000-0x00000000002D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5048-2835-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

    Filesize

    64KB

    Download