7848d4e5adc7034e32b63d9d09414f770117f12cd1f0cd2a4643b0d5e58207d1

General

Target

file.exe
Size

2.7MB
MD5

4b8ea5598f2b38f21b81fa2067306302
SHA1

1113bcc3abc625724757fd1368d03a50af9138a4
SHA256

7848d4e5adc7034e32b63d9d09414f770117f12cd1f0cd2a4643b0d5e58207d1
SHA512

76c973a312894327341d0a44014227f4ea1dfced2ec903cf934a2057ca9f701e83098bf587bf45919de3253fbfb770457022f35909b9941bf61fc0ba36eed8d4
SSDEEP

49152:zGlJfsUp6qqY4/9Zf2YkBnGZlIacuzaH7pslSnCb+ZPYEA8A01iIodPCD0B2V+la:qvRqY4/9ZLqn62tbSeASAiAeoO00VCgL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

is-3CI89.tmpRec412.exe

pid process

1148 is-3CI89.tmp
4284 Rec412.exe
Loads dropped DLL 3 IoCs

Processes:

is-3CI89.tmp

pid process

1148 is-3CI89.tmp
1148 is-3CI89.tmp
1148 is-3CI89.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1148	is-3CI89.tmp
4284	Rec412.exe

pid	process
1148	is-3CI89.tmp
1148	is-3CI89.tmp
1148	is-3CI89.tmp

Drops file in Program Files directory 9 IoCs

Processes:

is-3CI89.tmp

description	ioc	process
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\is-RG2AL.tmp	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\is-RR340.tmp	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\is-Q415U.tmp	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\data\is-HL1VU.tmp	is-3CI89.tmp
File opened for modification	C:\Program Files (x86)\FJWsoftFR\Rec412\unins000.dat	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\is-3D6NL.tmp	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\is-P5IEG.tmp	is-3CI89.tmp
File opened for modification	C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe	is-3CI89.tmp
File created	C:\Program Files (x86)\FJWsoftFR\Rec412\unins000.dat	is-3CI89.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

file.exeis-3CI89.tmp

description	pid	process	target process
PID 4784 wrote to memory of 1148	4784	file.exe	is-3CI89.tmp
PID 4784 wrote to memory of 1148	4784	file.exe	is-3CI89.tmp
PID 4784 wrote to memory of 1148	4784	file.exe	is-3CI89.tmp
PID 1148 wrote to memory of 4284	1148	is-3CI89.tmp	Rec412.exe
PID 1148 wrote to memory of 4284	1148	is-3CI89.tmp	Rec412.exe
PID 1148 wrote to memory of 4284	1148	is-3CI89.tmp	Rec412.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp" /SL4 $D004C "C:\Users\Admin\AppData\Local\Temp\file.exe" 2634247 56320
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe
"C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe"
3⤵
- Executes dropped EXE
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe
Filesize
3.0MB

MD5
a54cc0da4884f08f04ce09b859869c2f

SHA1
cb679a4039a341b2ab763c2c2c25abd39b432668

SHA256
bcc5e091b89290e398fe59a51bed1ecb8f33dcb94292f2bd1e9ba20ba393eb6f

SHA512
0b5af4acc2499b41d06c43c037e660fad4748507ed38280f8a5a5433f187acda6f237ff8d89b10aed48fa6a4e34ea0261c561b2a9cade5db95539fc82fdec23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp
Filesize
659KB

MD5
57d101722b08967ce53be6109b7f6ccf

SHA1
f62e5f39efbfb03d0ddd822963122eb1945d9f18

SHA256
5b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9

SHA512
57158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp
Filesize
659KB

MD5
57d101722b08967ce53be6109b7f6ccf

SHA1
f62e5f39efbfb03d0ddd822963122eb1945d9f18

SHA256
5b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9

SHA512
57158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b

Download Submit
memory/1148-154-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1148-171-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-173-0x0000000000400000-0x00000000014FF000-memory.dmp

Filesize
17.0MB

Download
memory/4284-174-0x0000000000400000-0x00000000014FF000-memory.dmp

Filesize
17.0MB

Download
memory/4784-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4784-172-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing