Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 17:56
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230221-en
General
-
Target
file.exe
-
Size
2.7MB
-
MD5
4b8ea5598f2b38f21b81fa2067306302
-
SHA1
1113bcc3abc625724757fd1368d03a50af9138a4
-
SHA256
7848d4e5adc7034e32b63d9d09414f770117f12cd1f0cd2a4643b0d5e58207d1
-
SHA512
76c973a312894327341d0a44014227f4ea1dfced2ec903cf934a2057ca9f701e83098bf587bf45919de3253fbfb770457022f35909b9941bf61fc0ba36eed8d4
-
SSDEEP
49152:zGlJfsUp6qqY4/9Zf2YkBnGZlIacuzaH7pslSnCb+ZPYEA8A01iIodPCD0B2V+la:qvRqY4/9ZLqn62tbSeASAiAeoO00VCgL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
is-3CI89.tmpRec412.exepid process 1148 is-3CI89.tmp 4284 Rec412.exe -
Loads dropped DLL 3 IoCs
Processes:
is-3CI89.tmppid process 1148 is-3CI89.tmp 1148 is-3CI89.tmp 1148 is-3CI89.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
Processes:
is-3CI89.tmpdescription ioc process File created C:\Program Files (x86)\FJWsoftFR\Rec412\is-RG2AL.tmp is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\is-RR340.tmp is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\is-Q415U.tmp is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\data\is-HL1VU.tmp is-3CI89.tmp File opened for modification C:\Program Files (x86)\FJWsoftFR\Rec412\unins000.dat is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\is-3D6NL.tmp is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\is-P5IEG.tmp is-3CI89.tmp File opened for modification C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe is-3CI89.tmp File created C:\Program Files (x86)\FJWsoftFR\Rec412\unins000.dat is-3CI89.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
file.exeis-3CI89.tmpdescription pid process target process PID 4784 wrote to memory of 1148 4784 file.exe is-3CI89.tmp PID 4784 wrote to memory of 1148 4784 file.exe is-3CI89.tmp PID 4784 wrote to memory of 1148 4784 file.exe is-3CI89.tmp PID 1148 wrote to memory of 4284 1148 is-3CI89.tmp Rec412.exe PID 1148 wrote to memory of 4284 1148 is-3CI89.tmp Rec412.exe PID 1148 wrote to memory of 4284 1148 is-3CI89.tmp Rec412.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp"C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmp" /SL4 $D004C "C:\Users\Admin\AppData\Local\Temp\file.exe" 2634247 563202⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe"C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\FJWsoftFR\Rec412\Rec412.exeFilesize
3.0MB
MD5a54cc0da4884f08f04ce09b859869c2f
SHA1cb679a4039a341b2ab763c2c2c25abd39b432668
SHA256bcc5e091b89290e398fe59a51bed1ecb8f33dcb94292f2bd1e9ba20ba393eb6f
SHA5120b5af4acc2499b41d06c43c037e660fad4748507ed38280f8a5a5433f187acda6f237ff8d89b10aed48fa6a4e34ea0261c561b2a9cade5db95539fc82fdec23a
-
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-6BNTG.tmp\_isetup\_isdecmp.dllFilesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmpFilesize
659KB
MD557d101722b08967ce53be6109b7f6ccf
SHA1f62e5f39efbfb03d0ddd822963122eb1945d9f18
SHA2565b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9
SHA51257158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b
-
C:\Users\Admin\AppData\Local\Temp\is-SRR32.tmp\is-3CI89.tmpFilesize
659KB
MD557d101722b08967ce53be6109b7f6ccf
SHA1f62e5f39efbfb03d0ddd822963122eb1945d9f18
SHA2565b433440454647dc2775cacf3258f2272cb2fc0ec870b862744aad4ee7bc7ec9
SHA51257158b946d08d669967f8b09dde8a44a1e2c94ac0a313aa6f3eb52c651c73e7546b085a201847757ac15911d797a8fb2032a13e845b790af5279abd344793f4b
-
memory/1148-154-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/1148-171-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/4284-173-0x0000000000400000-0x00000000014FF000-memory.dmpFilesize
17.0MB
-
memory/4284-174-0x0000000000400000-0x00000000014FF000-memory.dmpFilesize
17.0MB
-
memory/4784-133-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4784-172-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB