Overview

overview

7

Static

static

3

PE-DESIGN 10.exe

windows7-x64

7

PE-DESIGN 10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    72s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PE-DESIGN 10.exe

  • Size

    133.2MB

  • MD5

    1eab43b9863a9e3203b8fb415294f7ae

  • SHA1

    3f0921b2a8616420839b029d6cbb0544a0bbfe88

  • SHA256

    4f0e2487db334d423312079607320b303bf2bd502b6a1a8b78d5744601fee7a6

  • SHA512

    4cf29ad9d6c7f5f4cf3ac4a51d7682bc6404457df10be0406ddc57ea6f53b1c6bf69d2f27b210d6a2e853c4b95364534927ec5de9e36d096b8ab2f3f64d3e8c2

  • SSDEEP

    3145728:jVfN29HxfR8Okgh02VcKk/CzGwNWkj1hcajz08//7:VN29RfR8ORfcKfXNWu1hFz0y/7

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe
    "C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe
      "C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe" /i "C:\Users\Admin\AppData\Roaming\Brother Industries, Ltd\PE-DESIGN 10 10.20.0.0\install\PE-DESIGN 10.msi" CLIENTPROCESSID="944" SECONDSEQUENCE="1" CHAINERUIPROCESSID="944Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files (x86)\Brother\PE-DESIGN 10\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe" AI_INSTALL="1" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PE-DESIGN 10"
      2⤵
      • Enumerates connected drives
      PID:1656
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 47B251E97451C1B65E17A5C233497D24 C
      2⤵
      • Loads dropped DLL
      PID:1384
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding D4DDB7869F0310C103DFD1F8F5860610
      2⤵
      • Loads dropped DLL
      PID:1468
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2024
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000003A8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1936

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6cbaca.rbs
      Filesize

      433KB

      MD5

      39b8181d303b1ce7743a4984157b0141

      SHA1

      ca51676b6f529c264a5435541f0736099a59a480

      SHA256

      70664ab34e2e784538abb14b8503abd9e352577688b71ddb1df7f634599072a4

      SHA512

      e9b926d01e3adf9b833dc18f93c6578a35633c8bc510d9508bbe6e66dce0d8ce007aab7f7d02a9e3584832a05dfe274b07584d92d21d824329d0bcd5627a2a27

      Download Submit

    • C:\Program Files (x86)\Common Files\BIL\PE-DESIGN 10\Sample\Font Creator\Font Template\Small_h.bmp
      Filesize

      26KB

      MD5

      a91a62c1650fbcf22b3cbbb299a91b0f

      SHA1

      746c521c77512631bc8576cc3fac9cb4f93c3b1c

      SHA256

      4d7dc81040e3343e5d01eea3e16a66f9efdfdb5183e1d00ea2abf889fecd676b

      SHA512

      d98b09905fa43f04c1f6bbbdb2056744b9ebdc787e57f16c860aecd10d0f5bb5bd4a7ad5d437ec346e57cfd518895f5d0471bddd8333caff169ce0f8a6460be4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_944\aicustact.dll
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_944\background
      Filesize

      29KB

      MD5

      34363136d896a1de743489e2aff7d849

      SHA1

      2678a41eec6d6d7f3267347f5ea2f7ca770323bb

      SHA256

      ae4355bc29fc0b409605faf5c69664a97a44c914e855b474b24281d17b7dcb15

      SHA512

      2711c50013f9b763e2eb7eed136f120dbe71b45ed0669655b07393e75f4e704877e7af473133469a012fd13d6bc50f2f715e8244395061a0067a480778759448

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_944\exitbackground
      Filesize

      27KB

      MD5

      24103f71a86c20089528c96c0dbe1445

      SHA1

      007d7a930dcae7684477347f4f2bd58d4ee5d184

      SHA256

      8542e195ef15dfd3ed9b246d3539295f266a19f3bde524c3f41b99adb6719c11

      SHA512

      94267aa20fb17e2db9ac31bb20b17e108f99c17f181c8f1612d9ecc9ac1375703b2ec7af3795b7c4ab379723c4c764a137025fb21df3e60859d0480ca546eb10

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI2D58.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI2E82.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI2F7C.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Brother Industries, Ltd\PE-DESIGN 10 10.20.0.0\install\PE-DESIGN 10.msi
      Filesize

      3.0MB

      MD5

      59120041a44e2bea892d231122f01286

      SHA1

      8a2a33b9091b375d9f21e1340584edbc5c58b144

      SHA256

      8b44c2d5bd17ef7b7c3664c64a5c869ff96a1db591d582ee3ebca7cbd4d4b5a6

      SHA512

      9f0223c5f0124afb98b801733f6160b0035168fa21b6f469ab5c12f15a5b5d05b3b47e76d2e6d4fc8cdb24e1dda48411acf64702d9d58af337de339cc47ab1e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Brother Industries, Ltd\PE-DESIGN 10 10.20.0.0\install\PE-DESIGN 10.msi
      Filesize

      3.0MB

      MD5

      59120041a44e2bea892d231122f01286

      SHA1

      8a2a33b9091b375d9f21e1340584edbc5c58b144

      SHA256

      8b44c2d5bd17ef7b7c3664c64a5c869ff96a1db591d582ee3ebca7cbd4d4b5a6

      SHA512

      9f0223c5f0124afb98b801733f6160b0035168fa21b6f469ab5c12f15a5b5d05b3b47e76d2e6d4fc8cdb24e1dda48411acf64702d9d58af337de339cc47ab1e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Brother Industries, Ltd\PE-DESIGN 10 10.20.0.0\install\disk1.cab
      Filesize

      128.4MB

      MD5

      3765f4d0212ba2adea52b21a1a5f861a

      SHA1

      c8a73f91aa2f096e01c8ecc30eb291deb1a3eb2b

      SHA256

      d3bbd5d6d304db29812c7527d63ea1a1ddfb3147a54ec59b393b96194ab0907a

      SHA512

      3d9b3fab4f4d9bb7793e1797e2e0ec1408d339d046fa5b30fd6b99d9e5a66912b26bc8397e3e9efaac0c9f81301c715bcd9d72658d1e87ea927ed176b3162b85

      Download Submit

    • C:\Windows\Installer\MSIBB93.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • C:\Windows\Installer\MSIC278.tmp
      Filesize

      309KB

      MD5

      6509b4aa5d8561d61dd7699088bede3b

      SHA1

      126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6

      SHA256

      3b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152

      SHA512

      085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370

      Download Submit

    • C:\Windows\Installer\MSICDCF.tmp
      Filesize

      309KB

      MD5

      6509b4aa5d8561d61dd7699088bede3b

      SHA1

      126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6

      SHA256

      3b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152

      SHA512

      085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370

      Download Submit

    • C:\Windows\Installer\MSICDCF.tmp
      Filesize

      309KB

      MD5

      6509b4aa5d8561d61dd7699088bede3b

      SHA1

      126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6

      SHA256

      3b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152

      SHA512

      085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370

      Download Submit

    • C:\Windows\Installer\{8BDB2C9D-C678-46C5-A87D-713634DB6487}\Embedit_1.exe
      Filesize

      278KB

      MD5

      e0af4c81b1b8e5dce06754f19b20515d

      SHA1

      e76c0cb36a538b7e650da327093c3f8d3f5a115f

      SHA256

      f58f3d3b51b33e9b41093b4e823927009b80cdd1489079b4637e1b1df2a79452

      SHA512

      bafaff59755ef639180b3536c17df963e05bfecec0a4d4fe52557b46c72f61b4a46a7dc9739c9b2f6c96ab2f477661e9f1a3be372f0fed21023839cda3b8c9da

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI2D58.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI2E82.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI2F7C.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • \Windows\Installer\MSIBB93.tmp
      Filesize

      86KB

      MD5

      616d33d84937a1edde1bb431b8cd8fc0

      SHA1

      4a690e056a7808d10d0667351697fa43640aecb3

      SHA256

      494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

      SHA512

      daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

      Download Submit

    • \Windows\Installer\MSIC278.tmp
      Filesize

      309KB

      MD5

      6509b4aa5d8561d61dd7699088bede3b

      SHA1

      126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6

      SHA256

      3b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152

      SHA512

      085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370

      Download Submit

    • \Windows\Installer\MSICDCF.tmp
      Filesize

      309KB

      MD5

      6509b4aa5d8561d61dd7699088bede3b

      SHA1

      126ccbd1db3ce2fcd412d4f2b9afe1e7c62a3ae6

      SHA256

      3b7ceecd08d77d0795144793ec9ef9be7fbe91f9242d0ff0b5521fa0bbf8d152

      SHA512

      085b3328581c774a5187f66bba38479474fbf8d6b2c6f83ea4c869d0addf9eeccbbd28d063fbfd741ac45dc113cb0646eff91653cea21825fa56e9968e349370

      Download Submit

    • memory/944-124-0x00000000004A0000-0x00000000004A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/944-61-0x00000000004A0000-0x00000000004A1000-memory.dmp

      Filesize

      4KB

      Download