153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772

Analysis

max time kernel
62s
max time network
91s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe
Size

4.7MB
MD5

178e442aa91768f00d754b395bb5c89e
SHA1

ff7ea0a36080deb166178b7fca97d33955d55dfa
SHA256

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
SHA512

2db61a73bc22cc283aee3bdb8420ca9f5617869afa1df74fc8672c7fce9ac014ead0be496de8bfa7764f4ba5288b6f87db142d4791a505a969daea95df7cbca6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
740	NisSrv.com
1408	NisSrv.com

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lyIGmHfccK.url	NisSrv.com

Loads dropped DLL 2 IoCs

pid	Process
1836	cmd.exe
740	NisSrv.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2004	PING.EXE
1556	PING.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1224	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	28
PID 1484 wrote to memory of 1224	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	28
PID 1484 wrote to memory of 1224	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	28
PID 1484 wrote to memory of 1224	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	28
PID 1484 wrote to memory of 2020	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	30
PID 1484 wrote to memory of 2020	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	30
PID 1484 wrote to memory of 2020	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	30
PID 1484 wrote to memory of 2020	1484	153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe	30
PID 2020 wrote to memory of 1836	2020	cmd.exe	32
PID 2020 wrote to memory of 1836	2020	cmd.exe	32
PID 2020 wrote to memory of 1836	2020	cmd.exe	32
PID 2020 wrote to memory of 1836	2020	cmd.exe	32
PID 1836 wrote to memory of 2004	1836	cmd.exe	33
PID 1836 wrote to memory of 2004	1836	cmd.exe	33
PID 1836 wrote to memory of 2004	1836	cmd.exe	33
PID 1836 wrote to memory of 2004	1836	cmd.exe	33
PID 1836 wrote to memory of 1244	1836	cmd.exe	34
PID 1836 wrote to memory of 1244	1836	cmd.exe	34
PID 1836 wrote to memory of 1244	1836	cmd.exe	34
PID 1836 wrote to memory of 1244	1836	cmd.exe	34
PID 1836 wrote to memory of 740	1836	cmd.exe	35
PID 1836 wrote to memory of 740	1836	cmd.exe	35
PID 1836 wrote to memory of 740	1836	cmd.exe	35
PID 1836 wrote to memory of 740	1836	cmd.exe	35
PID 1836 wrote to memory of 1556	1836	cmd.exe	36
PID 1836 wrote to memory of 1556	1836	cmd.exe	36
PID 1836 wrote to memory of 1556	1836	cmd.exe	36
PID 1836 wrote to memory of 1556	1836	cmd.exe	36
PID 740 wrote to memory of 1408	740	NisSrv.com	37
PID 740 wrote to memory of 1408	740	NisSrv.com	37
PID 740 wrote to memory of 1408	740	NisSrv.com	37
PID 740 wrote to memory of 1408	740	NisSrv.com	37

C:\Users\Admin\AppData\Local\Temp\153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe
"C:\Users\Admin\AppData\Local\Temp\153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo qIKXL
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < TUXWQNTevtbkTvanZiBxZRaCwLXTRQVANFwFDEEDmYGDhFs.bmrhtLVwCxVyQZlGpXnhxMVxCXVwkPgcxpvaNHcwKq
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 CpD.RKWigx
      4⤵
      Runs ping.exe
      PID:2004
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode kalLzATvQOcyNnPvDVKxJFDNeYNDhETEMKpTRwhMRLyJRhrC.AJdMvgFObJcMdojVRargWEBHXDXmUVOUkOMVCRfcDyx IG
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com
      NisSrv.com IG
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com
        
        C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com IG
        5⤵
        Executes dropped EXE
        Drops startup file
        
        PID:1408
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\IG

Filesize
688KB

MD5
28a80c7500e5f1a51a79c04e778b129a

SHA1
9e06a9897adc6eb312253efcc68f3e796c99fdc4

SHA256
48347e1b79b1b1c0b7f013b1529bcec47329b952107d5be4bc0dbba74a5424b6

SHA512
cdf08c89da3fc257751ed4967e16f2fbfca8225f9f243b56b08d6476080900eaf0c5f19d20da368273a650347b698d0e41f56cde931d70a5bd4e838bf002fe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\LnlAyejloDZjcabcwsiNXbHfyakxJCJI.RcYGcCOqLBitFsvcHCbTyngRUxNQSAFTdmDWnOGPzM

Filesize
917KB

MD5
b66801f8eef442b1e664f189c16e7f78

SHA1
241c92e2343630ad6b3d80daf6c96c590f60ed2d

SHA256
4b99e26b74e219107c6e804d16cbfb5573fed5e1eeb7c9b6158cc0d89a8b6edd

SHA512
1c4c45f2eb1b95c37b710a06f92ee63235895e6e0d2556fdb620bb1406c60f21cb34ca8c6ea2b9d802e1acc4b2566cee8a94119a3a129288727856c67302c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\TUXWQNTevtbkTvanZiBxZRaCwLXTRQVANFwFDEEDmYGDhFs.bmrhtLVwCxVyQZlGpXnhxMVxCXVwkPgcxpvaNHcwKq

Filesize
4KB

MD5
da8b22fac5b55784d0fbd13f3dec5a7b

SHA1
558d61ee117e2ad110f16d37cf467c2eef8dcf0b

SHA256
3da74cd8116929b271ff972e0f7d647556ce040f0c42014acaf88307b72100a8

SHA512
0a1129fb2468f5ca9cb7a97158186cb2afcdcec50050bc4bbb7eacf7f548d406dd56813585a7589267fbfbd3f73a4887394aecc1b4a69d229f5bfaee7f06840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\kalLzATvQOcyNnPvDVKxJFDNeYNDhETEMKpTRwhMRLyJRhrC.AJdMvgFObJcMdojVRargWEBHXDXmUVOUkOMVCRfcDyx

Filesize
946KB

MD5
c7a34ebd14db0c22d5566f79c9f615e8

SHA1
733e005d41c2859064cae874389eaff21a207cf3

SHA256
2ce950f5f99c6c8c60dacbb2d645c83bcf4c267b70e15fddd54a3a125e14d5ce

SHA512
b9e3467aa266f8ee9cedb641b889031a3c02dd7118cc614c6b971bcbb8672e9b268732a383617a6dd2617530495388a55249d0d4826173e1999f23d5179827d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\uiMqOXolVgOuNmWSWIAajzsJUNwTnEH.RlQdeFqcDwZkvzjfeptDffuNPeuwWfMsGjg

Filesize
3.8MB

MD5
08c4484ecf3d845fa964a86efae56220

SHA1
0cbb9518f98963393dccc8fea430b3b21e276add

SHA256
5d5fc5f305338b316f88c9e4e7a4f93b69d62d1a0f395f938d7a99b1c622c02e

SHA512
f8c0f267614e45c0a2c92bb49d1f0d085fddaf6f0b069d748740251fc2bb80781b5fafb536a2d7935b4345f638d282d99f0408ff239bb007d036c556c42425c6

Download Submit
\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
\Users\Admin\AppData\Local\Temp\CbNBSRdCNgFerwrN\NisSrv.com

Filesize
918KB

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
memory/1484-54-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download