e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978

Analysis

max time kernel
50s
max time network
71s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
22-09-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe
Size

1.7MB
MD5

6faf8c6a5daf175a6742e4cac9251a71
SHA1

b6e35144266f79e6667d337712350927aa4a80f2
SHA256

e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978
SHA512

c84fc8a41da04ece2f026816eafa43f9dff4e034e3b3c75e9f5e9ad5a762a58bf4600a542a0763b3981167231b19dd3d195dd8aa5a52d8de8a0995492a396b49
SSDEEP

49152:UbA30XXQc7JEKbh8zlhgGzIYIed2Q6I4u8q:UbUcy88zleGsYEQ6I4u8q

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3516	rundll32.exe
3516	rundll32.exe
4508	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2924	2172	e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe	66
PID 2172 wrote to memory of 2924	2172	e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe	66
PID 2172 wrote to memory of 2924	2172	e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe	66
PID 2924 wrote to memory of 3516	2924	control.exe	67
PID 2924 wrote to memory of 3516	2924	control.exe	67
PID 2924 wrote to memory of 3516	2924	control.exe	67
PID 3516 wrote to memory of 3908	3516	rundll32.exe	68
PID 3516 wrote to memory of 3908	3516	rundll32.exe	68
PID 3908 wrote to memory of 4508	3908	RunDll32.exe	69
PID 3908 wrote to memory of 4508	3908	RunDll32.exe	69
PID 3908 wrote to memory of 4508	3908	RunDll32.exe	69

C:\Users\Admin\AppData\Local\Temp\e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe
"C:\Users\Admin\AppData\Local\Temp\e5c791dd6fc81e3cb076995ec65362a8c5e7333586c935ac1a8c3666749c1978.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\QNfXgBT.NzN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\QNfXgBT.NzN
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\QNfXgBT.NzN
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\QNfXgBT.NzN
        5⤵
        Loads dropped DLL
        
        PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QNfXgBT.NzN

Filesize
1.9MB

MD5
d66fc424fb4b5b0cd08942d0dc8ca205

SHA1
65848d89b10e7cc60d74185275dfd23e374fcf6c

SHA256
c488bae327882209d66e93d58bf7ac113f45798fb66012e494db9375bb0de1e0

SHA512
7aae14d7d7ff38a8b366bb25d247df4803e1bb92f1440beb2d3bdf91f36069263c51be58ad7656fc2b101918dc7020bfb0e918b4b61776d9cf68b210651e2bb4

Download Submit
\Users\Admin\AppData\Local\Temp\qnfxgbT.Nzn

Filesize
1.9MB

MD5
d66fc424fb4b5b0cd08942d0dc8ca205

SHA1
65848d89b10e7cc60d74185275dfd23e374fcf6c

SHA256
c488bae327882209d66e93d58bf7ac113f45798fb66012e494db9375bb0de1e0

SHA512
7aae14d7d7ff38a8b366bb25d247df4803e1bb92f1440beb2d3bdf91f36069263c51be58ad7656fc2b101918dc7020bfb0e918b4b61776d9cf68b210651e2bb4

Download Submit
\Users\Admin\AppData\Local\Temp\qnfxgbT.Nzn

Filesize
1.9MB

MD5
d66fc424fb4b5b0cd08942d0dc8ca205

SHA1
65848d89b10e7cc60d74185275dfd23e374fcf6c

SHA256
c488bae327882209d66e93d58bf7ac113f45798fb66012e494db9375bb0de1e0

SHA512
7aae14d7d7ff38a8b366bb25d247df4803e1bb92f1440beb2d3bdf91f36069263c51be58ad7656fc2b101918dc7020bfb0e918b4b61776d9cf68b210651e2bb4

Download Submit
\Users\Admin\AppData\Local\Temp\qnfxgbT.Nzn

Filesize
1.9MB

MD5
d66fc424fb4b5b0cd08942d0dc8ca205

SHA1
65848d89b10e7cc60d74185275dfd23e374fcf6c

SHA256
c488bae327882209d66e93d58bf7ac113f45798fb66012e494db9375bb0de1e0

SHA512
7aae14d7d7ff38a8b366bb25d247df4803e1bb92f1440beb2d3bdf91f36069263c51be58ad7656fc2b101918dc7020bfb0e918b4b61776d9cf68b210651e2bb4

Download Submit
memory/2172-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2924-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-280-0x00000000047F0000-0x0000000004946000-memory.dmp

Filesize
1.3MB

Download
memory/3516-281-0x0000000004A70000-0x0000000004B89000-memory.dmp

Filesize
1.1MB

Download
memory/3516-350-0x0000000004A70000-0x0000000004B89000-memory.dmp

Filesize
1.1MB

Download
memory/4508-339-0x00000000052A0000-0x00000000053F6000-memory.dmp

Filesize
1.3MB

Download
memory/4508-340-0x0000000005520000-0x0000000005639000-memory.dmp

Filesize
1.1MB

Download
memory/4508-349-0x0000000005520000-0x0000000005639000-memory.dmp

Filesize
1.1MB

Download