8828ee6a8837c928a60c731b5b83aa7fee23ef9b8b0c949463765687f68cac52

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/04/2023, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EditorModeloTenkaichi3v16.2.exe
Size

65.4MB
MD5

f2ddfcb07bfc1d02d0a306eff899d7f0
SHA1

83968795e553d8bc060f9dedd8b1e0d94d1f89bb
SHA256

8828ee6a8837c928a60c731b5b83aa7fee23ef9b8b0c949463765687f68cac52
SHA512

02772ed1bdba35f6ee2bb7fc8bedf6a0ee719b4c174053229adfaeb9f27cc1a404ff49bfa2c5b19022355e71aded22c42cd8fea3a6876ec18613ee09d3f06fdd
SSDEEP

1572864:2yX83jyqYikLpq2VZC/RmYNMkQMAvblCiH8Y/40JkM:2ydjE0k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1088	EditorModeloTenkaichi3.exe
1112	EditorModeloTenkaichi3.exe
676	php-cgi.exe

Loads dropped DLL 9 IoCs

pid	Process
1704	EditorModeloTenkaichi3v16.2.exe
1088	EditorModeloTenkaichi3.exe
1088	EditorModeloTenkaichi3.exe
1088	EditorModeloTenkaichi3.exe
1112	EditorModeloTenkaichi3.exe
1112	EditorModeloTenkaichi3.exe
1088	EditorModeloTenkaichi3.exe
676	php-cgi.exe
676	php-cgi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EditorModeloTenkaichi3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EditorModeloTenkaichi3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EditorModeloTenkaichi3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EditorModeloTenkaichi3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1088	EditorModeloTenkaichi3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1088	1704	EditorModeloTenkaichi3v16.2.exe	28
PID 1704 wrote to memory of 1088	1704	EditorModeloTenkaichi3v16.2.exe	28
PID 1704 wrote to memory of 1088	1704	EditorModeloTenkaichi3v16.2.exe	28
PID 1704 wrote to memory of 1088	1704	EditorModeloTenkaichi3v16.2.exe	28
PID 1088 wrote to memory of 1112	1088	EditorModeloTenkaichi3.exe	29
PID 1088 wrote to memory of 1112	1088	EditorModeloTenkaichi3.exe	29
PID 1088 wrote to memory of 1112	1088	EditorModeloTenkaichi3.exe	29
PID 1088 wrote to memory of 1112	1088	EditorModeloTenkaichi3.exe	29
PID 1088 wrote to memory of 676	1088	EditorModeloTenkaichi3.exe	30
PID 1088 wrote to memory of 676	1088	EditorModeloTenkaichi3.exe	30
PID 1088 wrote to memory of 676	1088	EditorModeloTenkaichi3.exe	30
PID 1088 wrote to memory of 676	1088	EditorModeloTenkaichi3.exe	30

C:\Users\Admin\AppData\Local\Temp\EditorModeloTenkaichi3v16.2.exe
"C:\Users\Admin\AppData\Local\Temp\EditorModeloTenkaichi3v16.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe
    "C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe" --type=renderer --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\debug.log" --disable-webgl --disable-pepper-3d --disable-gl-multisampling --disable-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-video-decode --channel="1088.0.1043006533\1298425195" /prefetch:673131151
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php-cgi.exe
    C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php-cgi.exe "C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\index.php"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\~SFX000006A8\EDITORMODELOTENKAICHI3.EXE

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\icudt.dll

Filesize
9.5MB

MD5
5434e18b933e03f274d8da59fda4c676

SHA1
9cf34066a3a28bf0dccff0e4b234a9ac22cffb8d

SHA256
ef080ad7436d544c285d026131ad0faa0b54d7e2f098d5c6c5920bbf88b3f6a7

SHA512
0799b6381eb959faa540be6d6a7a8a3b5b8bf5510adc4da039af844c6685a561e1c205d160dcb964caa2a1bbc4cacab9c70a3974f07417c274a0d6ba0157cce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\libcef.dll

Filesize
36.9MB

MD5
4125d57d883df4df29d950e339a3ba92

SHA1
a357ededb255a6f25339994b3f099123fa1faa54

SHA256
622aaa14aa2b1ff06adbe4e09dab9c0d43eac556bf42f56bfe44a5d29e16082b

SHA512
5702ada6420ce1ecd2aa62406d6fe098dac84c21a7b33de0a25b24d24726f9671eec37f0cfc5777ae55a75776edaf745b44cc54fcd5a4fa2ad7986f5270cca31

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\locales\en-US.pak

Filesize
6KB

MD5
7dc755262eb4ba15fd0f2bd986801f13

SHA1
5a5e40026367137f93fcdf869e5f316737a25453

SHA256
fbcab99db6aae46afd20d46f0ab972c2e8dbd0a384bfe5371c59bca594cda378

SHA512
f7b422cde7b9fa215e51e31b544ac5831faeeeca83a77ca9ab0560aef9e8d6d012bca4e0bc8266cee8fbd3685780c2146c74ff7959930e398fe79bb1b00ac8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\bmp\11

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\dat\63556

Filesize
128KB

MD5
e7c78c0760a6ba629c322959f244c8c2

SHA1
f974a27e714e89ac904076c6308e611eda2d46c1

SHA256
04bb26f0b789dc36035dd46c9524b8e9821e4055e54d610b8416fde463b02c2d

SHA512
3d05a8b391f1b1e71b029bfd525103695b779d1eecad2b9cb0cc9202fa9af8732a7c8e11d865ffbe0f2c72ca9ae8fcbbd552922029a569618554e1d02aa2b9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\index.php

Filesize
969B

MD5
feae53ebb2c188653fcbe11dabb270ae

SHA1
f48373d62734f966b0c40c99c5784b3f6014f6ea

SHA256
0206d20d7e6629ce62b05cbd26d63a77046983a48bff59740aea77bf58b64258

SHA512
5973e70ca473146394ee04725c72a5e27aad3c92541a93c24243cfdf90f688344aa3be60b05c8e82dd2c34f0e1d29acb76f05e5f6aea9e4a11d06a9febea7d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php-cgi.exe

Filesize
52KB

MD5
602b739972ee3d29e86efd4b158a93c1

SHA1
d000b3b920672a5c1da88581ab5d3b2ee81833f4

SHA256
924cdcd033170c4c1858732c7d6b80a7bde5fee245cf211bc97d044b268335c8

SHA512
6440e92e03aea6e8a44a6896855d1a932867ecac7fb7aee203689f49fa32c30ec652858b5726a2ccb7c39659289f4ce0f9d22b1f9e057c588c25e06cf3ceef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php-cgi.exe

Filesize
52KB

MD5
602b739972ee3d29e86efd4b158a93c1

SHA1
d000b3b920672a5c1da88581ab5d3b2ee81833f4

SHA256
924cdcd033170c4c1858732c7d6b80a7bde5fee245cf211bc97d044b268335c8

SHA512
6440e92e03aea6e8a44a6896855d1a932867ecac7fb7aee203689f49fa32c30ec652858b5726a2ccb7c39659289f4ce0f9d22b1f9e057c588c25e06cf3ceef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php.ini

Filesize
718B

MD5
29c314fd5f847627fbcbae50d6a7096c

SHA1
401ce375f2cd5628908305e24c9ebc8953f93665

SHA256
0fc66d0daabdf17939bbf877d9243151571096c0f366851f39e06420cb84361f

SHA512
6811740155ac5e68c6fddd414cb50edd82605709142f4c7c3b121456c656c0e85e0e07f4ce3208cd5871d5f1b823bf189fc15db5b7b5ad365f122abd3f245a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php5.dll

Filesize
6.0MB

MD5
0ce603c08799a52695b70ca9bdacf95f

SHA1
fff6ab30ff7bf82d67e898d61f62351b1b162fc4

SHA256
1542569a6e8b372db673492a575833be6c95592549f749486f6add92b9837c5f

SHA512
d5ae2f46bbb1099f4bb51bd2747a5b70e3061e116df5a271f6dda9ff62f023e3884f6e9425323396b72ab515b680c0b67b71683348c8fb147ac0b45b27ebcb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php_gd2.dll

Filesize
1.5MB

MD5
15be1ffd64c2ef3a0d1c7a9ac7e13f0e

SHA1
68c8a01dcc6a574c9af98a0427a174e2e5944ce8

SHA256
705741e89006451709dd32108484669380d2750172660796893538b0696119b4

SHA512
e10d713fdc4d031b50c42e87cae6b21f83b59bc5f944daf4911a14ad960f32223097482354e1a7e05980d1ad68f1c266189e55d18c982284e38db852bf68c450

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\EditorModeloTenkaichi3.exe

Filesize
1.3MB

MD5
13007b8a151b2eb4648ae4420ba8664a

SHA1
ca7282d8357fbf22aea39542b810ffcb49b8d6d7

SHA256
5a351a22180c0f777ddbe0f4e92fe8c9e2c1be6b3b71620fc6bc3fa96d76f7fe

SHA512
d76b8c63670ac7522fc34fa42d1cf746e6ed3ab4fc03d28b4246bbd9219d73c47cb1c11aee77a5b27cb3a38738cbc29cd73894287c18864816cc35ccddcc9577

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\icudt.dll

Filesize
9.5MB

MD5
5434e18b933e03f274d8da59fda4c676

SHA1
9cf34066a3a28bf0dccff0e4b234a9ac22cffb8d

SHA256
ef080ad7436d544c285d026131ad0faa0b54d7e2f098d5c6c5920bbf88b3f6a7

SHA512
0799b6381eb959faa540be6d6a7a8a3b5b8bf5510adc4da039af844c6685a561e1c205d160dcb964caa2a1bbc4cacab9c70a3974f07417c274a0d6ba0157cce2

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\icudt.dll

Filesize
9.5MB

MD5
5434e18b933e03f274d8da59fda4c676

SHA1
9cf34066a3a28bf0dccff0e4b234a9ac22cffb8d

SHA256
ef080ad7436d544c285d026131ad0faa0b54d7e2f098d5c6c5920bbf88b3f6a7

SHA512
0799b6381eb959faa540be6d6a7a8a3b5b8bf5510adc4da039af844c6685a561e1c205d160dcb964caa2a1bbc4cacab9c70a3974f07417c274a0d6ba0157cce2

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\libcef.dll

Filesize
36.9MB

MD5
4125d57d883df4df29d950e339a3ba92

SHA1
a357ededb255a6f25339994b3f099123fa1faa54

SHA256
622aaa14aa2b1ff06adbe4e09dab9c0d43eac556bf42f56bfe44a5d29e16082b

SHA512
5702ada6420ce1ecd2aa62406d6fe098dac84c21a7b33de0a25b24d24726f9671eec37f0cfc5777ae55a75776edaf745b44cc54fcd5a4fa2ad7986f5270cca31

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\libcef.dll

Filesize
36.9MB

MD5
4125d57d883df4df29d950e339a3ba92

SHA1
a357ededb255a6f25339994b3f099123fa1faa54

SHA256
622aaa14aa2b1ff06adbe4e09dab9c0d43eac556bf42f56bfe44a5d29e16082b

SHA512
5702ada6420ce1ecd2aa62406d6fe098dac84c21a7b33de0a25b24d24726f9671eec37f0cfc5777ae55a75776edaf745b44cc54fcd5a4fa2ad7986f5270cca31

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php-cgi.exe

Filesize
52KB

MD5
602b739972ee3d29e86efd4b158a93c1

SHA1
d000b3b920672a5c1da88581ab5d3b2ee81833f4

SHA256
924cdcd033170c4c1858732c7d6b80a7bde5fee245cf211bc97d044b268335c8

SHA512
6440e92e03aea6e8a44a6896855d1a932867ecac7fb7aee203689f49fa32c30ec652858b5726a2ccb7c39659289f4ce0f9d22b1f9e057c588c25e06cf3ceef2b

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php5.dll

Filesize
6.0MB

MD5
0ce603c08799a52695b70ca9bdacf95f

SHA1
fff6ab30ff7bf82d67e898d61f62351b1b162fc4

SHA256
1542569a6e8b372db673492a575833be6c95592549f749486f6add92b9837c5f

SHA512
d5ae2f46bbb1099f4bb51bd2747a5b70e3061e116df5a271f6dda9ff62f023e3884f6e9425323396b72ab515b680c0b67b71683348c8fb147ac0b45b27ebcb5a

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx000006A8\php\php_gd2.dll

Filesize
1.5MB

MD5
15be1ffd64c2ef3a0d1c7a9ac7e13f0e

SHA1
68c8a01dcc6a574c9af98a0427a174e2e5944ce8

SHA256
705741e89006451709dd32108484669380d2750172660796893538b0696119b4

SHA512
e10d713fdc4d031b50c42e87cae6b21f83b59bc5f944daf4911a14ad960f32223097482354e1a7e05980d1ad68f1c266189e55d18c982284e38db852bf68c450

Download Submit
memory/1088-689-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-670-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-656-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-677-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-692-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-698-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-635-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1088-672-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-625-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-710-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1088-673-0x0000000008F70000-0x0000000009035000-memory.dmp

Filesize
788KB

Download
memory/1112-647-0x0000000027B00000-0x0000000027B01000-memory.dmp

Filesize
4KB

Download
memory/1112-668-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1112-645-0x000000000D500000-0x000000000D501000-memory.dmp

Filesize
4KB

Download
memory/1112-648-0x000000003F100000-0x000000003F101000-memory.dmp

Filesize
4KB

Download
memory/1112-649-0x000000001C100000-0x000000001C101000-memory.dmp

Filesize
4KB

Download
memory/1112-674-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1112-644-0x000000000D000000-0x000000000D001000-memory.dmp

Filesize
4KB

Download
memory/1112-646-0x0000000035E00000-0x0000000035E01000-memory.dmp

Filesize
4KB

Download
memory/1112-637-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1112-699-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1704-669-0x0000000002800000-0x00000000028C5000-memory.dmp

Filesize
788KB

Download
memory/1704-643-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1704-624-0x0000000002800000-0x00000000028C5000-memory.dmp

Filesize
788KB

Download