80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42

Analysis

max time kernel
16s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
21-06-2021 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8043262173C3E29F33C566C80F0DA3B7.exe
Size

43KB
MD5

8043262173c3e29f33c566c80f0da3b7
SHA1

5a6f13e5d492e43ab316ba87ddd33763c51ba874
SHA256

80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
SHA512

c36cf8672c1500d78461eaeaafd2c479ec2b7ac6eb0e443422b8dae4b7ad9092c5c439f99c25846c45c39c0003dc514c24e5b0ddda2250b523e371df3569316c

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

2300 setup.exe

pid	process
2300	setup.exe

Loads dropped DLL 7 IoCs

Processes:

8043262173C3E29F33C566C80F0DA3B7.exesetup.exe

pid	process
740	8043262173C3E29F33C566C80F0DA3B7.exe
740	8043262173C3E29F33C566C80F0DA3B7.exe
740	8043262173C3E29F33C566C80F0DA3B7.exe
740	8043262173C3E29F33C566C80F0DA3B7.exe
2300	setup.exe
2300	setup.exe
2300	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8043262173C3E29F33C566C80F0DA3B7.exe

description	pid	process	target process
PID 740 wrote to memory of 2300	740	8043262173C3E29F33C566C80F0DA3B7.exe	setup.exe
PID 740 wrote to memory of 2300	740	8043262173C3E29F33C566C80F0DA3B7.exe	setup.exe
PID 740 wrote to memory of 2300	740	8043262173C3E29F33C566C80F0DA3B7.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\8043262173C3E29F33C566C80F0DA3B7.exe
"C:\Users\Admin\AppData\Local\Temp\8043262173C3E29F33C566C80F0DA3B7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
42ce3775f3df0e4870e863c2d9f52770

SHA1
84a23b46553b28b7392761f58d8bf41f98596363

SHA256
cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2

SHA512
f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
42ce3775f3df0e4870e863c2d9f52770

SHA1
84a23b46553b28b7392761f58d8bf41f98596363

SHA256
cc2555ebf93d16bf4d75b5b18a5bb5129dc6cfaf606b40027b69e06c699912c2

SHA512
f2315f7939887c266cfbed42041ac57a55e9bf9241c45f70b69650d797e75c761214d4098af14c2a2680fd703125fa93e63695ce137430cdf9f840a605675db6

Download Submit
\Users\Admin\AppData\Local\Temp\nsk93BB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsk93BB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsk93BB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsk93BB.tmp\NSISdl.dll
MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB6F3.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB6F3.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsuB6F3.tmp\nsDialogs.dll
MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/2300-118-0x0000000000000000-mapping.dmp

Download
memory/2300-124-0x0000000002811000-0x0000000002813000-memory.dmp

Filesize
8KB

Download