1a11d17f7bf64fa6b5e31b5b0847108b917ba51e97036f64c812994b35055771

General

Target

recoverit_setup_full4144.exe
Size

2.0MB
MD5

fe5fa83de7113087fc93ddf99ddc310a
SHA1

60a2892c48db1da821e4bc37deb70d4f0e4021d4
SHA256

1a11d17f7bf64fa6b5e31b5b0847108b917ba51e97036f64c812994b35055771
SHA512

9ca76c235cafd04c19977b2b98b8038a4bfe37acb593a49bc1e8d9b3cd826da5b82ebd1508937d7df52991163ce5796e86cd35fcf00b5c0fa93fb1d379084a52
SSDEEP

49152:G05czfx+MZ5oqTGOFDyhFufVjypTQ92N9L7jf8usm:GIczfX6mjFtfVJ2NNZ

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	NFWCHK.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-664403437-228026989-2547995067-1000\Control Panel\Desktop\MuiCached	recoverit_setup_full4144.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1908	recoverit_setup_full4144.exe
1908	recoverit_setup_full4144.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3036	1908	recoverit_setup_full4144.exe	82
PID 1908 wrote to memory of 3036	1908	recoverit_setup_full4144.exe	82

C:\Users\Admin\AppData\Local\Temp\recoverit_setup_full4144.exe
"C:\Users\Admin\AppData\Local\Temp\recoverit_setup_full4144.exe"
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:3036

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a3224face2e749249f06bbe8c8da7566 /t 5028 /p 1908
1⤵
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
51cc2b3ef4154f3117f0a3f5281d7769

SHA1
5a494e90c72bf1f15311670c812ff89fed9148b3

SHA256
6c41babfb2ceb21cf1259aba142833629e4eb0d57ab7e073f702e78e63d92fef

SHA512
34e17f41b4afca5a4787a1175619697d40a11491b5b02a1e0d300d55cbe44412cd1a7de07a80dcc7369721cafbc9d1a32e510cc4975ffa6f6d5a112af1665ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
555B

MD5
32f4e73ef6ca245a8e10049c965c456e

SHA1
ad095d41e4d3fdfce90ee9b612658cfaa1d48f92

SHA256
96df04eb52042239b2337747cf57f213cbcc548a6b5e4a46e8620f02e4daa9bb

SHA512
f1efb4b991bc0d32d2b29be19d8ed058ab5ce37791dadabbda08dc7a48f70d659c24a71055b09c0f0f8038e479891d9605aa5c2cc0270993fa66c0f9deae5087

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
960B

MD5
78f4b82c46b42cd8a68203c2657e59f3

SHA1
57d972c28963f7a9ff638bd63b9fce6cc90f3487

SHA256
10b4b91fc309987c6890a7f565faecf7b5b402a7aa3e27dbe8cf16359b5721fd

SHA512
b8a033afcbc0abc5022609d59f9a0915399cfb9b3f0861ff17066d48f66eacf73f4a4a8bbe064139ce5a986331a194a71322c452a24e943dc3400f94ddb93564

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
e67f835c550944078fee2c054179618b

SHA1
2088c874844fef66e8adbb10808ee86992ead509

SHA256
2217fa7a43460630d55f57a0a431b8360acf86712727ddfefa974790e7645c63

SHA512
e50ac5d6ecde83493b92cff9eb1453cbaf17dd4b2e649a4e65c9dbda583ecd839ff61f2357f34d998fad970b19831b669a8c5c4784f4aa12502489fe47942b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
53KB

MD5
d923c4d6f6fa3bd99ebc312333d5e3c7

SHA1
7cb6bbcf8f8fb29f396574b454c23b4e89c8afee

SHA256
96e431765558f59a82d90e0f4648239fe3db1df8025969fabca8264479e36f1f

SHA512
d115e9f088bfd569bef4e27d651f3c5ef0780b4a6d009f01025135790966040b3b68b45e07fe771755be88200f96909371e212d4161b4d0dd247523a4b78fa2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/3036-1155-0x000000001B3B0000-0x000000001B3D0000-memory.dmp

Filesize
128KB

Download
memory/3036-1159-0x000000001BC50000-0x000000001BCB2000-memory.dmp

Filesize
392KB

Download
memory/3036-1154-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/3036-1153-0x00007FFEAC3F0000-0x00007FFEACD91000-memory.dmp

Filesize
9.6MB

Download
memory/3036-1156-0x000000001B3D0000-0x000000001B6E0000-memory.dmp

Filesize
3.1MB

Download
memory/3036-1157-0x00007FFEAC3F0000-0x00007FFEACD91000-memory.dmp

Filesize
9.6MB

Download
memory/3036-1158-0x000000001BB90000-0x000000001BBD9000-memory.dmp

Filesize
292KB

Download
memory/3036-1152-0x000000001B370000-0x000000001B388000-memory.dmp

Filesize
96KB

Download
memory/3036-1160-0x000000001C190000-0x000000001C65E000-memory.dmp

Filesize
4.8MB

Download
memory/3036-1161-0x000000001C700000-0x000000001C79C000-memory.dmp

Filesize
624KB

Download
memory/3036-1162-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/3036-1163-0x000000001CB00000-0x000000001CB3E000-memory.dmp

Filesize
248KB

Download
memory/3036-1165-0x00007FFEAC3F0000-0x00007FFEACD91000-memory.dmp

Filesize
9.6MB

Download
memory/3036-1151-0x0000000001100000-0x0000000001124000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads