Analysis
-
max time kernel
86s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 03:45
Static task
static1
Behavioral task
behavioral1
Sample
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Resource
win10v2004-20220414-en
General
-
Target
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
-
Size
1.9MB
-
MD5
4ee07fb83faff93732dbc9138222368f
-
SHA1
4da06c16bc29c67db43a08145def09b6ad257415
-
SHA256
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee
-
SHA512
d36406f6bf42019fea383d53e2fc2fdc38af4de9a06dfa7bacc7c017041ff224122999ec9fde41c448d17f5b3faa95e7f7ec7c616b120b379d2ddc0bfe05fa3b
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exepid process 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exedescription ioc process File opened for modification \??\PhysicalDrive0 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 74c67df97cb42c43b1344f376b675fcc 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exepid process 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exepid process 1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe"C:\Users\Admin\AppData\Local\Temp\00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMDownload.dllFilesize
158KB
MD5b62367fe2d02b8f47914b088a006d50c
SHA13743c953e48e6f3f76689423ba9c1ed25e9f86d3
SHA256cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7
SHA512c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMNetGetInfo.dllFilesize
314KB
MD512f98be1d919784370eb0f87e78b60d8
SHA1d07de2227b2ec68545be0adeb042af457d68f9e2
SHA25663e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9
SHA512ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMSkin.dllFilesize
1.3MB
MD539257175ac9c90199c69aea1a7bcbda0
SHA16cf4a8dedf37d24ce902f34fa66120a214e1a2cc
SHA25684d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc
SHA5124a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\System.dllFilesize
18KB
MD51c951bbcbc780046d6be1079a04870a4
SHA1a5bae7d838973154e6fac69b1c5ff7d2cda01906
SHA256d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e
SHA51262c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\dl.dllFilesize
1.9MB
MD5763b532d651f0ad5e135d9b57bf4fba4
SHA123f1302f904a67a1fe0d48e11a435c2f36336196
SHA25650b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173
SHA512a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c
-
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\tmptwl2qh.dllFilesize
2.6MB
MD521b8dcddef95687175b7163f7fa819e3
SHA1ea54fb330bf335e996330d272979712ab7fd1443
SHA2564571035b67abb5ddc9b867b8bde9bfec8aa8917bce2a9df413ecae3ea606aa1c
SHA5122a906e65f9f6ddef3b59c6f199c8bf9d72a14878f6927253a65e0915cefa384fdbf5bc43462f19da8bd9a8586c2dfa80b9f146870010ab7ae5e1e5bc8b8e11d2
-
memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB
-
memory/1512-67-0x0000000004F00000-0x00000000050ED000-memory.dmpFilesize
1.9MB