2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe
Size

177KB
MD5

6d16b6a9cfb070e77fd39ab766df5cd0
SHA1

8a5feaec20b581b3500abb67f7faf43669fafffe
SHA256

2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c
SHA512

7cf2949d7a18c1b6017df30a6847c8b3311cdf6673157ff7b4592c0cba56b42424d6ed0080ace7c3b19d57c20222cd246f338f957c1492127fcd3a565b130706
SSDEEP

3072:H5BuYAVrgUCPn/VCaph4rofRoRd2ct46HQpZdRUK7GToO:H50gUCwaphtdctzH6fpGToO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4476	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe
4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe
4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe
4476	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4476	4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe	81
PID 4908 wrote to memory of 4476	4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe	81
PID 4908 wrote to memory of 4476	4908	2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe	81

C:\Users\Admin\AppData\Local\Temp\2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe
"C:\Users\Admin\AppData\Local\Temp\2a4604380ab34b43ef3a9113489254c0b17c2ddbf97623bb89e967e6941ef11c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
56KB

MD5
e0c52a94b5611add37fe344df5b1861d

SHA1
8d18a7a23269eb206154ff897f9c2aacfa488b46

SHA256
ae134fc2a5fa8897fd935630ff454d4b8690a7236f51663737d744e41fa36819

SHA512
d2eb43bcf8b645a5fc72a62780ac0e2c31f5630da6a589341afe2e6140497df912d98070b9df777dbfb0ca581377ab7730b6b7f0f20741f1b79258b21022c555

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\NSISdl.dll

Filesize
15KB

MD5
7caaf58a526da33c24cbe122e7839693

SHA1
7687112cb6593947226f8a8319d6e2d0cdef3b11

SHA256
19debdc4c0b6f5dc9582bda7a2c1146516f683e8d741190e6d4b81ad10b33f61

SHA512
aafd0cb2abb3d2dee95c2d037a6a1a5bff0518e3210ced0c39e6d6696e4fab4734df01476fe9dcb208f02c529cd03346bc8b7f3319ae49701bbf2cb453d59bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\NSISdl.dll

Filesize
15KB

MD5
7caaf58a526da33c24cbe122e7839693

SHA1
7687112cb6593947226f8a8319d6e2d0cdef3b11

SHA256
19debdc4c0b6f5dc9582bda7a2c1146516f683e8d741190e6d4b81ad10b33f61

SHA512
aafd0cb2abb3d2dee95c2d037a6a1a5bff0518e3210ced0c39e6d6696e4fab4734df01476fe9dcb208f02c529cd03346bc8b7f3319ae49701bbf2cb453d59bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\setup.exe

Filesize
72KB

MD5
cc3315bfd85148caceb65a690bee8480

SHA1
4d8aa788eeffe5ae7b459ff0eb4599f22fa3809f

SHA256
91e6ad589d18619aff08403c9124729fbbd22cffca15973395c8b3052eca1508

SHA512
e05c09cc55b7a14897f1e7e1d78be27f77815964cab21da2a45089d2ba8da62d6ee5a313a7caef93a2a5fead27094863e5cf2dccfb7c831a3bb3a7b70fc14561

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa9715.tmp\setup.exe

Filesize
72KB

MD5
cc3315bfd85148caceb65a690bee8480

SHA1
4d8aa788eeffe5ae7b459ff0eb4599f22fa3809f

SHA256
91e6ad589d18619aff08403c9124729fbbd22cffca15973395c8b3052eca1508

SHA512
e05c09cc55b7a14897f1e7e1d78be27f77815964cab21da2a45089d2ba8da62d6ee5a313a7caef93a2a5fead27094863e5cf2dccfb7c831a3bb3a7b70fc14561

Download Submit
memory/4476-139-0x0000000074A20000-0x0000000074A46000-memory.dmp

Filesize
152KB

Download
memory/4476-140-0x0000000074A20000-0x0000000074A46000-memory.dmp

Filesize
152KB

Download