Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-06-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
8043262173C3E29F33C566C80F0DA3B7.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8043262173C3E29F33C566C80F0DA3B7.exe
Resource
win10v20210408
General
-
Target
8043262173C3E29F33C566C80F0DA3B7.exe
-
Size
43KB
-
MD5
8043262173c3e29f33c566c80f0da3b7
-
SHA1
5a6f13e5d492e43ab316ba87ddd33763c51ba874
-
SHA256
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
-
SHA512
c36cf8672c1500d78461eaeaafd2c479ec2b7ac6eb0e443422b8dae4b7ad9092c5c439f99c25846c45c39c0003dc514c24e5b0ddda2250b523e371df3569316c
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 316 setup.exe -
Loads dropped DLL 10 IoCs
Processes:
8043262173C3E29F33C566C80F0DA3B7.exesetup.exepid process 1040 8043262173C3E29F33C566C80F0DA3B7.exe 1040 8043262173C3E29F33C566C80F0DA3B7.exe 1040 8043262173C3E29F33C566C80F0DA3B7.exe 1040 8043262173C3E29F33C566C80F0DA3B7.exe 1040 8043262173C3E29F33C566C80F0DA3B7.exe 316 setup.exe 316 setup.exe 316 setup.exe 316 setup.exe 316 setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\setup.exe nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
setup.exepid process 316 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8043262173C3E29F33C566C80F0DA3B7.exedescription pid process target process PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe PID 1040 wrote to memory of 316 1040 8043262173C3E29F33C566C80F0DA3B7.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8043262173C3E29F33C566C80F0DA3B7.exe"C:\Users\Admin\AppData\Local\Temp\8043262173C3E29F33C566C80F0DA3B7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
\Users\Admin\AppData\Local\Temp\nsx2482.tmp\System.dllMD5
c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
\Users\Admin\AppData\Local\Temp\nsx2482.tmp\nsDialogs.dllMD5
c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
\Users\Admin\AppData\Local\Temp\nsx262.tmp\NSISdl.dllMD5
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
\Users\Admin\AppData\Local\Temp\nsx262.tmp\NSISdl.dllMD5
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
\Users\Admin\AppData\Local\Temp\nsx262.tmp\NSISdl.dllMD5
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
\Users\Admin\AppData\Local\Temp\nsx262.tmp\NSISdl.dllMD5
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
\Users\Admin\AppData\Local\Temp\setup.exeMD5
42ce3775f3df0e4870e863c2d9f52770
SHA184a23b46553b28b7392761f58d8bf41f98596363
SHA256cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2
SHA512f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6
-
memory/316-65-0x0000000000000000-mapping.dmp
-
memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB