bff57ccfbe2690d2b35717379b6c6902270dba122a8d508457124c073eaffd0e

Resubmissions

02-02-2024 14:59

240202-sc227aggd2 7

02-02-2024 14:53

240202-r9dkesahcq 3

Analysis

max time kernel
592s
max time network
643s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Disk1/setup.exe
Size

929KB
MD5

2cc9103dfdf1e8a5db13f0915a9416de
SHA1

da0ad0f88a26e31846e9df040e470d70f5d699e7
SHA256

f0a02d3ace10af6507f29e56b7c6e5f4eeb643f809baa2eb2a44ce08ce66e290
SHA512

6024b0ef569aa82b0ed18a2552ad141fc8340b9a462388292fba103e18a2462fb78fc79a82fb7d247c2a15a8f5e7eb4d21c597ea54c03a428d945754d2f02ba8
SSDEEP

12288:9p5e7e1f+jY849fxuBa5kVDIyb496sxhFSOQ2gqIKXH62t:9pA7e1jwD9bEtFSOQCIaHlt

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Executes dropped EXE 7 IoCs

Processes:

setup.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exe

pid process

3096 setup.exe
4212 ISBEW64.exe
4388 ISBEW64.exe
884 ISBEW64.exe
3040 ISBEW64.exe
3720 ISBEW64.exe
4240 ISBEW64.exe
Loads dropped DLL 4 IoCs

Processes:

setup.exe

pid process

3096 setup.exe
3096 setup.exe
3096 setup.exe
3096 setup.exe

pid	process
3096	setup.exe
4212	ISBEW64.exe
4388	ISBEW64.exe
884	ISBEW64.exe
3040	ISBEW64.exe
3720	ISBEW64.exe
4240	ISBEW64.exe

pid	process
3096	setup.exe
3096	setup.exe
3096	setup.exe
3096	setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000831d4a26f757a3470000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000831d4a260000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900831d4a26000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d831d4a26000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000831d4a2600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

vssvc.exesrtasks.exe

description	pid	process
Token: SeBackupPrivilege	2780	vssvc.exe
Token: SeRestorePrivilege	2780	vssvc.exe
Token: SeAuditPrivilege	2780	vssvc.exe
Token: SeBackupPrivilege	836	srtasks.exe
Token: SeRestorePrivilege	836	srtasks.exe
Token: SeSecurityPrivilege	836	srtasks.exe
Token: SeTakeOwnershipPrivilege	836	srtasks.exe
Token: SeBackupPrivilege	836	srtasks.exe
Token: SeRestorePrivilege	836	srtasks.exe
Token: SeSecurityPrivilege	836	srtasks.exe
Token: SeTakeOwnershipPrivilege	836	srtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

setup.exesetup.exe

description	pid	process	target process
PID 3908 wrote to memory of 3096	3908	setup.exe	setup.exe
PID 3908 wrote to memory of 3096	3908	setup.exe	setup.exe
PID 3908 wrote to memory of 3096	3908	setup.exe	setup.exe
PID 3096 wrote to memory of 4212	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 4212	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 4388	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 4388	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 884	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 884	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 3040	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 3040	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 3720	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 3720	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 4240	3096	setup.exe	ISBEW64.exe
PID 3096 wrote to memory of 4240	3096	setup.exe	ISBEW64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\setup.exe
C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\setup.exe -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\Disk1\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{31F17347-1366-4A76-94B0-589988BFAB98}
3⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4590CA0-4AAA-48D2-A0AD-922A44BAD4CF}
3⤵
- Executes dropped EXE
PID:4388

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B515882-F6B7-497C-BD45-6D2C04F99BDA}
3⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3067CA11-1F64-4673-9AF7-896AF4E82303}
3⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3CEBD37D-F7D9-4146-8104-3C51B05228C4}
3⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB2FE879-5371-4B23-BD9C-01BC8AD32CD6}
3⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\ISBEW64.exe
Filesize
178KB

MD5
fc6b38a02516871ec641e99fb18f448b

SHA1
58754875d6b068d4c076363531674b5d8164e4dc

SHA256
9419696372f4460fdc12d96ecd9f3a9489e9070ccab7cca4b51602c051db31bf

SHA512
9a9bb2ad036ba9141fe312ab199ed2eb75bb132f69cb4b1fe98f4daaac8698debf2f72fc4b7969b1386fd849ef857e6861f66b14cf43a86328cfbac3617c6b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\DIFxData.ini
Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\FontData.ini
Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\_isres_0x0409.dll
Filesize
1.8MB

MD5
dc1c02e272c281895c0456f358f44378

SHA1
cd51129bacc9f463fc0fb09bb38eb89ece916fde

SHA256
3782f17b843b4cd3245c8b751d0c23b1b34a24a64a923dbcaefc26e65fe4f69d

SHA512
7d1dc68274f164b811acb08334857ab4c3c847daea1724a5ca9d2db7f1f4fff3009b9092fc8c5ccc64e2c8d57babe563d72b3c7f9f64de3c1c02c2e747ec48b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\_isres_0x0409.dll
Filesize
14KB

MD5
00a08f5c8da59b47a3bca9310a9d6eb1

SHA1
15aeec67daa4115b4b4c92ec5feba2c17de63cc1

SHA256
0fe5ae540f15f32112ea45eb1f9e2bebc9d097f87a1593a9741d3f817159a258

SHA512
5f0329311220df9d0ef2793cb564b2da0dfd5b497b3e0f3ac1d2ab3d182d94aa68cbe2dc5808e36659ffba4ad984a28fa8f2f22d38ff118ff588d32c3d453360

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\isrt.dll
Filesize
426KB

MD5
6142481421bd6cc14addf9606137973d

SHA1
97686f0e3254c3c245256ae280ed36f9457b3ec2

SHA256
650d006d2f4f62d740d7d198f7febe201d3f528ee87e089958b5c4e1cd27e748

SHA512
21e9bd11b931ba20dff2e30f3301fcb5fc119535a6428c175224e1a35e6c6c14b07f437a416d53787635ce8b8aa042d4dc514beed41b0575591ae79c1592993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74DEF12D-7ADF-4EA2-A446-3B3E2E56E57D}\{5AD9FC81-F943-4F6C-BDB6-71E1C421C806}\setup.inx
Filesize
128KB

MD5
b9808c1bbddd11dcdfb8884e6c271680

SHA1
d653adae2da5655d4a1a36d58bf7e6b01a1d5bd7

SHA256
d791bd74843c05bed871dcdcbeb7c815edba614b1131d189a44e90940962a223

SHA512
fd5c5393b757f07301484c04571ea02eef2c0010909793eceb4e3491818037bee0eca1aa50e4e2ee358898cb8598f52f642585864ba9dd54217f8b3618999e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\0x0409.ini
Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\ISSetup.dll
Filesize
1.6MB

MD5
82785d52aff250d92e6c415a84f3a0cb

SHA1
f18d27f5b4fa37fb77f3c24fd96d6075db759580

SHA256
89b71ad218a00b8ca87136266d841240dd8d00ad4e8745b28c9a8cf775623937

SHA512
decdc14dc3d77bc25a30ac16095a2045b5ccb6fad99fe652e0477ac08524762ed7c3b39fcb2e90ddfd5ef1752f609522d9c6b9794450536761c6195862eb89c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\setup.exe
Filesize
929KB

MD5
2cc9103dfdf1e8a5db13f0915a9416de

SHA1
da0ad0f88a26e31846e9df040e470d70f5d699e7

SHA256
f0a02d3ace10af6507f29e56b7c6e5f4eeb643f809baa2eb2a44ce08ce66e290

SHA512
6024b0ef569aa82b0ed18a2552ad141fc8340b9a462388292fba103e18a2462fb78fc79a82fb7d247c2a15a8f5e7eb4d21c597ea54c03a428d945754d2f02ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A937BAFA-C28B-4EA8-BE2B-289966DA1F40}\setup.ini
Filesize
2KB

MD5
a4d19620ead09181c517e06750d91e97

SHA1
b0fc15f5fb1c77091a8763b48ccbc2c9e07c59ef

SHA256
71ec8da4023db3adeb0ec13102cfe60d89c1a19469f9fad725ec62b6ee38cd12

SHA512
491751f8758b111391a3749338472b8be92d34295474c60634a669530ef53e7627e31833195b150b763aad3fa4ba11391b464c3e1f8ebb180025ecabce5f1481

Download Submit
memory/3096-76-0x00000000036B0000-0x00000000036B2000-memory.dmp

Filesize
8KB

Download
memory/3096-75-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3096-81-0x0000000005C80000-0x0000000005E47000-memory.dmp

Filesize
1.8MB

Download
memory/3096-97-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3096-107-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download