Overview

overview

7

Static

static

1

recoveryto...ll.exe

windows7-x64

7

recoveryto...ll.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    53s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-04-2023 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recoverytoolboxforoutlookpasswordinstall.exe

  • Size

    839KB

  • MD5

    bcd11ebbaa06f6f3df4f84959f5b835d

  • SHA1

    17bf8a8f06bc5edc9b76cfa38011baee0d413c80

  • SHA256

    984d81d0eec2086985364a9f190a5a575e31740b171fb136e2e75a17c2ffde86

  • SHA512

    4680186092ebe9b6a71e46a57c8382e5c83c7effad73b83887d1aebd4090e394dea748cc1fb9ea8a94ffaf1a3bc79c25f2e9aaa0ec9072c24f4fb038f7897a34

  • SSDEEP

    24576:22UxSjabHuEXe4Sm3laMMuV4/V+8YaXav:22ou/ilD62aS

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe
    "C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\is-D1C1B.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D1C1B.tmp\recoverytoolboxforoutlookpasswordinstall.tmp" /SL5="$70128,616334,53248,C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe
        "C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-D1C1B.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-D1C1B.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit
  • \Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • \Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • \Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
    Filesize

    559KB

    MD5

    50cdf6ec022c7ee1110110fa5d521527

    SHA1

    65c284e03691acb3464abefafcae0c3737289a08

    SHA256

    8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

    SHA512

    e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

    Download Submit
  • \Program Files (x86)\Recovery ToolBox for Outlook Password\unins000.exe
    Filesize

    679KB

    MD5

    49aa5045fc83d7e5ab36c821b7419de1

    SHA1

    baffc10ff593607238becfec979319bf5385fc61

    SHA256

    60c4d5b66eb14867d710635bf3991e6870cff1cde5d97aaa726fb3bc865be644

    SHA512

    fecaef328800af420d67926d2cf10a85a40adc1664c86fa484e1f22305598e7c9fdd5f186dbd38b0d79ae529a54f8b4e5fd4a35c6c0cc77171601b4a40236400

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-BFQ11.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-BFQ11.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-D1C1B.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit
  • memory/824-70-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/824-110-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/824-54-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1132-98-0x0000000003C10000-0x0000000003C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1132-100-0x0000000000400000-0x00000000004B6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1132-97-0x0000000003C10000-0x0000000003C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1132-109-0x0000000000400000-0x00000000004B6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1132-71-0x0000000000400000-0x00000000004B6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1132-69-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-113-0x0000000001ED0000-0x0000000001ED2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-114-0x0000000000400000-0x0000000000574000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-115-0x0000000001F20000-0x0000000001F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-117-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-116-0x0000000001EC0000-0x0000000001EC3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1992-118-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-121-0x0000000000400000-0x0000000000574000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-122-0x0000000000400000-0x0000000000574000-memory.dmp
    Filesize

    1.5MB

    Download