50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 01:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
Size

60KB
MD5

e0c1f7c2de35cc212d1b249d8467e182
SHA1

2cc48aee926d164c30ca131621ffac2d7fd7dd43
SHA256

50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2
SHA512

f51f742ef225edde4b6c90cfb2ce202e58888d03fd3313e7ad1473c3cdfda569c03e18d7eaff0c65e5a23546e10991773b4d2d5632863b7a987995796717bbaa
SSDEEP

1536:HQpQ5EP0ijnRTXJU6mQKhUkFXuzZBDtY75DjwnMwjIMnMwj2:HQIURTXJ5KeouN7Y7RuMwEGMw6

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe

Executes dropped EXE 2 IoCs

pid	Process
820	uninst.exe
624	Au_.exe

Deletes itself 1 IoCs

pid	Process
624	Au_.exe

Loads dropped DLL 13 IoCs

pid	Process
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
820	uninst.exe
820	uninst.exe
820	uninst.exe
820	uninst.exe
820	uninst.exe
624	Au_.exe
624	Au_.exe
624	Au_.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flash.scf	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\Messenger.kbb	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
File created	C:\Program Files (x86)\lnkfiles\19.txt	cscript.exe
File created	C:\Program Files (x86)\Messenger\Ntype.exe	cscript.exe
File created	C:\Program Files (x86)\Common Files\System\ado\myie.vbs	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
File created	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\21.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\25.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\29.txt	cscript.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\17.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\23.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\27.txt	cscript.exe
File created	C:\Program Files (x86)\Messenger\taodwq.ico	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
File created	C:\Program Files (x86)\lnkfiles\15.txt	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 13 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000001267b-65.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-67.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-69.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-70.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-71.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-72.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-73.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-74.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-76.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-78.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-81.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-80.dat	nsis_installer_2
behavioral1/files/0x0009000000012330-79.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kbb	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kbb\ = "JSEFile"	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 1992	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	27
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 2028	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	29
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 2024 wrote to memory of 820	2024	50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe	30
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31
PID 820 wrote to memory of 624	820	uninst.exe	31

C:\Users\Admin\AppData\Local\Temp\50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe
"C:\Users\Admin\AppData\Local\Temp\50d85c7536f3360818233ed3df71e8a05a273d2ff089378d0e91eab687dacdc2.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"
  2⤵
  - Drops file in Program Files directory
  PID:1992
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.kbb"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Deletes itself
    - Loads dropped DLL
    PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\ado\myie.vbs

Filesize
3KB

MD5
c93b852c32f638cb351e94ce90f8ba6c

SHA1
1e9a97145222d666b965ba04fff251513cb9ecfe

SHA256
f285fc6dbf41f7155aa0279abb46f2f746b63d7bc6731f7b434deb8208785f28

SHA512
04a9a108d2c18216872f20300b0469fbe9698539a23e674f29178fa0ebd0cf59b2a497caa3542affc216539045fa2e1c224524b6f36b7bd00645c7d4630cb411

Download Submit
C:\Program Files (x86)\Messenger\messenger.kbb

Filesize
8KB

MD5
ad8242be7222f2bb6f2722c9fc960c88

SHA1
2aeed752492046451d39ad06896dd30fb32831ec

SHA256
3bf64cd838d63e20d1609db5ef4151155a9c70396947e07d48ae12d7e3e64c6b

SHA512
a7f29cadf2a06e3bd140df4fca10922ed61b96bb9a3c701cbc003b07455198714b56b33592d3a4657038f9c565dfe4bbe3d2661809b9019b0af6e3c0b40c2cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogou.ini

Filesize
126B

MD5
ee0520624957a0158268b37c80db58b3

SHA1
b96ccb7f85725d9be2d565346690fc6a74f9f2ff

SHA256
63d61efd96128edaab37f1d726b41dc444fef185722452320aefe365215b537e

SHA512
37846c3719f72f703a6e4af3372c95e3828d6acb32e821159fada48fbe9a97869017bb95f7d9cc67195c35ad2543d436800f8b042d50061dc1f6fdfc4bd6ef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCD0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCD0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCD0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCD0.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
34KB

MD5
f41f5adbd93cc117d2cb4e28931b48ed

SHA1
f19b01da8bba5e10fbd636f593c7930bdf955393

SHA256
089d29b8822fdeaad65f796f4f53f33631076a8bd44de390871bf2c51cabea70

SHA512
106be272f7125042ad3f674e95171023c52489e216ddcc4c2d13c8031907b44fb4ef67d390733a720848d627e5597113158d4e6f51996411809cc96c71615456

Download Submit
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download