74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8

Analysis

max time kernel
130s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe
Size

92KB
MD5

0a801f87d51f5e478e22dfba7f1ce760
SHA1

77753ea247b89837969f09a1b46048434656f571
SHA256

74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8
SHA512

893ba04891990d34931e74776d1b42a3dfb4128ff36bc1241b85bdf796e9e68de56094226404636b1d1aee2fb509651e277e4352434c07064e8016238e2a968e
SSDEEP

1536:DQpQ5EP0ijnRTXJ+MvcSeuBioIGFOH5DK1nwngXaL9RNLKZmJKRc:DQIURTXJ+MvcShvFmm1wnWaL9/ac

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4796	njlkynwh.exe
376	njlkynwh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	njlkynwh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 376	4796	njlkynwh.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe
376	njlkynwh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4796	njlkynwh.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4796	5112	74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe	82
PID 5112 wrote to memory of 4796	5112	74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe	82
PID 5112 wrote to memory of 4796	5112	74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe	82
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85
PID 4796 wrote to memory of 376	4796	njlkynwh.exe	85

C:\Users\Admin\AppData\Local\Temp\74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe
"C:\Users\Admin\AppData\Local\Temp\74fc330fb13c00bb39455e6c1fd90fe8a7c151a8f89df9c88b366ea61e4827f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe
  C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe
    C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe

Filesize
80KB

MD5
0f93e5709b1d6e39f0373ffe66a55628

SHA1
4d7bbcccc2cb7dd222ea5b1a2dda4a4b4b449c3b

SHA256
d8b6b1dbe5beb2b2224f5d1fee6c5d8378fa5d0f28a51246b3bd2443107d6d25

SHA512
6bbc83aa35103f9fabb4b70f5849da52ac0f34349aadc9354ef33ae7881913360a36429c51bc17d6f946861e9a998d60d7e9849aece477e9f755775c8200806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe

Filesize
80KB

MD5
0f93e5709b1d6e39f0373ffe66a55628

SHA1
4d7bbcccc2cb7dd222ea5b1a2dda4a4b4b449c3b

SHA256
d8b6b1dbe5beb2b2224f5d1fee6c5d8378fa5d0f28a51246b3bd2443107d6d25

SHA512
6bbc83aa35103f9fabb4b70f5849da52ac0f34349aadc9354ef33ae7881913360a36429c51bc17d6f946861e9a998d60d7e9849aece477e9f755775c8200806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\njlkynwh.exe

Filesize
80KB

MD5
0f93e5709b1d6e39f0373ffe66a55628

SHA1
4d7bbcccc2cb7dd222ea5b1a2dda4a4b4b449c3b

SHA256
d8b6b1dbe5beb2b2224f5d1fee6c5d8378fa5d0f28a51246b3bd2443107d6d25

SHA512
6bbc83aa35103f9fabb4b70f5849da52ac0f34349aadc9354ef33ae7881913360a36429c51bc17d6f946861e9a998d60d7e9849aece477e9f755775c8200806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.dat

Filesize
24KB

MD5
cc95b7b5a705470e897e3e6dca8c4e0c

SHA1
4f67fd563f4059df978441ce1efed179cc4fc374

SHA256
2061bb6056f6ba663028f0f5d576f2257c9c5a6905e196ecb9142eaf3a5732cf

SHA512
e9b7b471409f467c02dacc0201fc104b3fa8b31906e05095cc3c5e4bafe405b1c8377a4da32d6b0c3bed52943bdd6ea588782b45a0ce27073875a28c9363aacf

Download Submit
memory/376-137-0x0000000000000000-mapping.dmp

Download
memory/376-138-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/376-141-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/376-143-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/376-144-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4796-132-0x0000000000000000-mapping.dmp

Download