Overview

overview

10

Static

static

10

832448fcb3...fa.exe

windows7-x64

7

832448fcb3...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe

  • Size

    221.2MB

  • MD5

    5a79d71298c80aaf94cad9354d687acc

  • SHA1

    0e2edb5daa563922bee17b0cf39a87b7dff25018

  • SHA256

    832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa

  • SHA512

    ab81a7ac51d857888a863fab15bd69d85dbf8cc636bc814915fb79e22d12b7cc2efe4b528fe0988a0fce68703dedd7d9e203619a354c16cffd9746fe6898abaa

  • SSDEEP

    6291456:D00QRvCviS8vs/tQB6M3SRdphg/UUJJ4eeZr1Mr+/0Wt7sgWZQ:+RvCviSm3SPg/Uyk1d/0WJ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe
    "C:\Users\Admin\AppData\Local\Temp\832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe
      "C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe" /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\Temp\{13A1F8A3-4FDA-4DAE-8087-60A4FC760A35}\.cr\VC_redist.x64.exe
        "C:\Windows\Temp\{13A1F8A3-4FDA-4DAE-8087-60A4FC760A35}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\Temp\{2EB2766A-DC86-418B-AAF8-AADACDE44E36}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{2EB2766A-DC86-418B-AAF8-AADACDE44E36}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{340E0CEC-9CFA-42A2-B90C-558C57C184C9} {9ACE2EA3-38CA-4B73-AD07-04F7975250B4} 2400
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Modifies registry class
          PID:2636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 396
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2952
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\{13A1F8A3-4FDA-4DAE-8087-60A4FC760A35}\.cr\VC_redist.x64.exe
    Filesize

    635KB

    MD5

    53e9222bc438cbd8b7320f800bef2e78

    SHA1

    c4f295d8855b4b16c7450a4a9150eb95046f6390

    SHA256

    0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

    SHA512

    7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

    Download Submit

  • C:\Windows\Temp\{2EB2766A-DC86-418B-AAF8-AADACDE44E36}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • \Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe
    Filesize

    24.2MB

    MD5

    101b0b9f74cdc6cdbd2570bfe92e302c

    SHA1

    2e6bae42c2842b4f558bd68099479b929bb7d910

    SHA256

    4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

    SHA512

    ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

    Download Submit

  • \Windows\Temp\{2EB2766A-DC86-418B-AAF8-AADACDE44E36}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit