ebbd4d196b95803a07c54675e9281721c3adb7b397f5808af4d1cb47915a71c0

General

Target

ForceDelete Pro v1.1.0 Portable/ForceDeletePortable.exe
Size

542KB
MD5

1938d42093b3b28bdd2b72434b8c767f
SHA1

e3fda9caaf659b985a6bb4f67f69d3a5e5161d0e
SHA256

8eab5565c6ea8493608778462d46cd46811945e2c36259d0e85cb8fbc6b537d3
SHA512

5f41d3b49be9cfb77dce2788d6693dedaf307a30365b85bb1e64ba77af902afb65de1209370be50cd6c72bc4472849e17a4f84a34b0a1fe2a366d1e6a1e64ea9
SSDEEP

6144:7PKgYy4sGSSXSSgAIWI2eoiPieAeYZUAak6X+ZUq/B9WeeKlDLRk20Q18:0ytAEbbYafX+eCB99eK9LRTl18

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2584	ForceDeletePortable.exe
2584	ForceDeletePortable.exe
2584	ForceDeletePortable.exe
2584	ForceDeletePortable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Unlock by ForceDelete\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe"	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Unlock by ForceDelete\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe unlock \"%1\""	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Unlock by ForceDelete	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Force Delete\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe \"%1\""	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Force Delete\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe \"%1\""	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Unlock by ForceDelete	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Force Delete\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe"	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Force Delete\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe"	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Unlock by ForceDelete\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe"	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Unlock by ForceDelete\Command	ForceDelete.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Unlock by ForceDelete\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ForceDelete Pro v1.1.0 Portable\\App\\ProgramFiles\\ForceDelete.exe unlock \"%1\""	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Force Delete\Command	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Force Delete	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Unlock by ForceDelete\Command	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Force Delete	ForceDelete.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Force Delete\Command	ForceDelete.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2584	ForceDeletePortable.exe
2584	ForceDeletePortable.exe
2584	ForceDeletePortable.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2040	2584	ForceDeletePortable.exe	28
PID 2584 wrote to memory of 2040	2584	ForceDeletePortable.exe	28
PID 2584 wrote to memory of 2040	2584	ForceDeletePortable.exe	28
PID 2584 wrote to memory of 2040	2584	ForceDeletePortable.exe	28

C:\Users\Admin\AppData\Local\Temp\ForceDelete Pro v1.1.0 Portable\ForceDeletePortable.exe
"C:\Users\Admin\AppData\Local\Temp\ForceDelete Pro v1.1.0 Portable\ForceDeletePortable.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\ForceDelete Pro v1.1.0 Portable\App\ProgramFiles\ForceDelete.exe
  "C:\Users\Admin\AppData\Local\Temp\ForceDelete Pro v1.1.0 Portable\App\ProgramFiles\ForceDelete.exe"
  2⤵
  - Modifies registry class
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fdsound.dll

Filesize
8B

MD5
a472abb8bfe579d9346594e9ea3c20b6

SHA1
132320ab2b5ad59b3c3cd956d1602c49e53656e0

SHA256
20bd48c997a2266f0a7dcd962fda62ce6a356d36054b50a444fc26f80f429bbe

SHA512
fb65d55a3dad64cef922aff32cc85633c0177652d0e58e45a07fe8650b4186473214b5a0cff91bff646697e09a567643c388a3d9b869e8c95e13711fdca96aaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso761C.tmp\System.dll

Filesize
10KB

MD5
24ba3b21fe9c5d01a7c21d32958b3a16

SHA1
c25ac10843ae5ad73e57fc80585c0c3c924888e8

SHA256
ef63f2d4dc4ccb6b35449f56b19915a26ee6dc7089df01499f44da4db5ab1499

SHA512
5eae694d3b36757986ee583615ee672a41b8d806affe80b9591c72eae54373293be5875794d80cef3863cefc8dde44a7c88f9fe232af1e96d01401e0cce72f94

Download Submit
\Users\Admin\AppData\Local\Temp\nso761C.tmp\UAC.dll

Filesize
13KB

MD5
7f56c0d6a8733dec142814ed5a58b0ee

SHA1
c119e66f179cfb758966f3cf878466057bea1840

SHA256
86445396775370aff5834f10bda25e505b6f89efc69a04fe1ce46f5d128be73f

SHA512
8b3b9bed985b3583b7be8b2197bb068e5d5508f8b5c4a7fc1278b2662dc8d9a53fd6df63f636e44bfc5aa37f030ac76b8d259d6b446bf87d5c72b74ff5b158f3

Download Submit
\Users\Admin\AppData\Local\Temp\nso761C.tmp\newadvsplash.dll

Filesize
8KB

MD5
9bc6c411efa742a5de7d8372afafa2fa

SHA1
2b57865e87c7ca2db97d0296d8cbe0183df2c2cf

SHA256
0cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c

SHA512
092ef3f13a71a46df0f78a3b5eb4492bee32f1a12be27e0c534638ec7723b2a9aac23391768c352289df6a8988cbc6cf96ea22d8f1983b5ccf609e08d1db4bde

Download Submit
\Users\Admin\AppData\Local\Temp\nso761C.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/2040-36-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2040-33-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-34-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2040-32-0x0000000000360000-0x00000000003D0000-memory.dmp

Filesize
448KB

Download
memory/2040-37-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2040-40-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-41-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2584-14-0x0000000000550000-0x00000000005A9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing