813405f2ccb554b4098235b44606aa484902412788803fb4823de97f44a61a8a

Analysis

max time kernel
35s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1_nas2022-NAS管理-rw.exe
Size

81KB
MD5

6a9c1fd245ee2350ee7f1e27a36fb0ff
SHA1

4b3e3d9fb614ac6a82c689112d9f237bff06d1bd
SHA256

b45a262789e9f238dc8c00b9640db1c40b4cc08ceb365ddff53b946ff85d9dd8
SHA512

51146e59fe8c191bb9881d67b4d5551355ec5fdbdf64363daa0490ef22054d30df661f1d576754a3128946f16ad18fd0fd9f2b6243d4a6d4593ad6de8f264bed
SSDEEP

768:LRV8cOu2NOSnJLnRF8vpSOQmiqLBbBC2Kb8l9hVh2+E4AHwc/o+9IHqHYDZhYWFz:rBmOSn+MOQBqNbHKQ3hfEXN8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 32 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	net.exe
File opened (read-only)	\??\K:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\Q:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\X:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\L:	net.exe
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\Z:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\L:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\X:	net.exe
File opened (read-only)	\??\H:	net.exe
File opened (read-only)	\??\I:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\T:	net.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1772	1204	1_nas2022-NAS管理-rw.exe	27
PID 1204 wrote to memory of 1772	1204	1_nas2022-NAS管理-rw.exe	27
PID 1204 wrote to memory of 1772	1204	1_nas2022-NAS管理-rw.exe	27
PID 1204 wrote to memory of 1772	1204	1_nas2022-NAS管理-rw.exe	27
PID 1772 wrote to memory of 1660	1772	cmd.exe	29
PID 1772 wrote to memory of 1660	1772	cmd.exe	29
PID 1772 wrote to memory of 1660	1772	cmd.exe	29
PID 1772 wrote to memory of 652	1772	cmd.exe	30
PID 1772 wrote to memory of 652	1772	cmd.exe	30
PID 1772 wrote to memory of 652	1772	cmd.exe	30
PID 1772 wrote to memory of 536	1772	cmd.exe	31
PID 1772 wrote to memory of 536	1772	cmd.exe	31
PID 1772 wrote to memory of 536	1772	cmd.exe	31
PID 1772 wrote to memory of 1320	1772	cmd.exe	32
PID 1772 wrote to memory of 1320	1772	cmd.exe	32
PID 1772 wrote to memory of 1320	1772	cmd.exe	32
PID 1772 wrote to memory of 544	1772	cmd.exe	33
PID 1772 wrote to memory of 544	1772	cmd.exe	33
PID 1772 wrote to memory of 544	1772	cmd.exe	33
PID 1772 wrote to memory of 1152	1772	cmd.exe	34
PID 1772 wrote to memory of 1152	1772	cmd.exe	34
PID 1772 wrote to memory of 1152	1772	cmd.exe	34
PID 1772 wrote to memory of 1756	1772	cmd.exe	35
PID 1772 wrote to memory of 1756	1772	cmd.exe	35
PID 1772 wrote to memory of 1756	1772	cmd.exe	35
PID 1772 wrote to memory of 676	1772	cmd.exe	36
PID 1772 wrote to memory of 676	1772	cmd.exe	36
PID 1772 wrote to memory of 676	1772	cmd.exe	36
PID 1772 wrote to memory of 580	1772	cmd.exe	37
PID 1772 wrote to memory of 580	1772	cmd.exe	37
PID 1772 wrote to memory of 580	1772	cmd.exe	37
PID 1772 wrote to memory of 636	1772	cmd.exe	38
PID 1772 wrote to memory of 636	1772	cmd.exe	38
PID 1772 wrote to memory of 636	1772	cmd.exe	38
PID 1772 wrote to memory of 1644	1772	cmd.exe	39
PID 1772 wrote to memory of 1644	1772	cmd.exe	39
PID 1772 wrote to memory of 1644	1772	cmd.exe	39
PID 1772 wrote to memory of 1092	1772	cmd.exe	40
PID 1772 wrote to memory of 1092	1772	cmd.exe	40
PID 1772 wrote to memory of 1092	1772	cmd.exe	40
PID 1772 wrote to memory of 1784	1772	cmd.exe	41
PID 1772 wrote to memory of 1784	1772	cmd.exe	41
PID 1772 wrote to memory of 1784	1772	cmd.exe	41
PID 1772 wrote to memory of 1760	1772	cmd.exe	42
PID 1772 wrote to memory of 1760	1772	cmd.exe	42
PID 1772 wrote to memory of 1760	1772	cmd.exe	42
PID 1772 wrote to memory of 452	1772	cmd.exe	43
PID 1772 wrote to memory of 452	1772	cmd.exe	43
PID 1772 wrote to memory of 452	1772	cmd.exe	43
PID 1772 wrote to memory of 1720	1772	cmd.exe	44
PID 1772 wrote to memory of 1720	1772	cmd.exe	44
PID 1772 wrote to memory of 1720	1772	cmd.exe	44
PID 1772 wrote to memory of 1852	1772	cmd.exe	45
PID 1772 wrote to memory of 1852	1772	cmd.exe	45
PID 1772 wrote to memory of 1852	1772	cmd.exe	45
PID 1772 wrote to memory of 552	1772	cmd.exe	46
PID 1772 wrote to memory of 552	1772	cmd.exe	46
PID 1772 wrote to memory of 552	1772	cmd.exe	46
PID 1772 wrote to memory of 968	1772	cmd.exe	47
PID 1772 wrote to memory of 968	1772	cmd.exe	47
PID 1772 wrote to memory of 968	1772	cmd.exe	47
PID 1772 wrote to memory of 1332	1772	cmd.exe	48
PID 1772 wrote to memory of 1332	1772	cmd.exe	48
PID 1772 wrote to memory of 1332	1772	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\1_nas2022-NAS管理-rw.exe
"C:\Users\Admin\AppData\Local\Temp\1_nas2022-NAS管理-rw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\nDe3718\1_nas2022-NAS管理-rw.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\system32\net.exe
    NET USE H: /delete
    3⤵
    - Enumerates connected drives
    PID:1660
- - C:\Windows\system32\net.exe
    NET USE I: /delete
    3⤵
    - Enumerates connected drives
    PID:652
- - C:\Windows\system32\net.exe
    NET USE J: /delete
    3⤵
    - Enumerates connected drives
    PID:536
- - C:\Windows\system32\net.exe
    NET USE K: /delete
    3⤵
    - Enumerates connected drives
    PID:1320
- - C:\Windows\system32\net.exe
    NET USE L: /delete
    3⤵
    - Enumerates connected drives
    PID:544
- - C:\Windows\system32\net.exe
    NET USE M: /delete
    3⤵
    - Enumerates connected drives
    PID:1152
- - C:\Windows\system32\net.exe
    NET USE N: /delete
    3⤵
    - Enumerates connected drives
    PID:1756
- - C:\Windows\system32\net.exe
    NET USE O: /delete
    3⤵
    - Enumerates connected drives
    PID:676
- - C:\Windows\system32\net.exe
    NET USE P: /delete
    3⤵
    - Enumerates connected drives
    PID:580
- - C:\Windows\system32\net.exe
    NET USE Q: /delete
    3⤵
    - Enumerates connected drives
    PID:636
- - C:\Windows\system32\net.exe
    NET USE R: /delete
    3⤵
    - Enumerates connected drives
    PID:1644
- - C:\Windows\system32\net.exe
    NET USE S: /delete
    3⤵
    - Enumerates connected drives
    PID:1092
- - C:\Windows\system32\net.exe
    NET USE T: /delete
    3⤵
    - Enumerates connected drives
    PID:1784
- - C:\Windows\system32\net.exe
    NET USE U: /delete
    3⤵
    - Enumerates connected drives
    PID:1760
- - C:\Windows\system32\net.exe
    NET USE V: /delete
    3⤵
    - Enumerates connected drives
    PID:452
- - C:\Windows\system32\net.exe
    NET USE W: /delete
    3⤵
    - Enumerates connected drives
    PID:1720
- - C:\Windows\system32\net.exe
    NET USE X: /delete
    3⤵
    - Enumerates connected drives
    PID:1852
- - C:\Windows\system32\net.exe
    NET USE Y: /delete
    3⤵
    - Enumerates connected drives
    PID:552
- - C:\Windows\system32\net.exe
    NET USE Z: /delete
    3⤵
    - Enumerates connected drives
    PID:968
- - C:\Windows\system32\cmdkey.exe
    cmdkey /add:192.168.1.206 /user:sgsgictsup /pass:sgictsup-rw33122060afk
    3⤵
    PID:1332
- - C:\Windows\system32\net.exe
    NET USE N: \\192.168.1.206\Drivers /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1648
- - C:\Windows\system32\net.exe
    NET USE O: \\192.168.1.206\Information /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1936
- - C:\Windows\system32\net.exe
    NET USE P: \\192.168.1.206\privacy /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:340
- - C:\Windows\system32\net.exe
    NET USE R: \\192.168.1.206\è╟ù¥òö /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1556
- - C:\Windows\system32\net.exe
    NET USE S: \\192.168.1.206\îoù¥Ä║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:692
- - C:\Windows\system32\net.exe
    NET USE T: \\192.168.1.206\É}ÅæÄ║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:900
- - C:\Windows\system32\net.exe
    NET USE U: \\192.168.1.206\ôîï₧ò█êτÉΩûσèwìZ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1800
- - C:\Windows\system32\net.exe
    NET USE V: \\192.168.1.206\É╣ÉSèwëÇùcÆtëÇ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:540
- - C:\Windows\system32\net.exe
    NET USE W: \\192.168.1.206\âTâôâüEâZâVâèâA /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1744
- - C:\Windows\system32\net.exe
    NET USE X: \\192.168.1.206\Åεò±âVâXâeâÇÄ║$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1868
- - C:\Windows\system32\net.exe
    NET USE Y: \\192.168.1.206\è╟ù¥òöÄûû▒Æ╖$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:988
- - C:\Windows\system32\net.exe
    NET USE Z: \\192.168.1.206\NAS-backup$ /PERSISTENT:YES
    3⤵
    PID:1084
- - C:\Windows\system32\net.exe
    NET USE L: \\192.168.1.206\ï│û▒òöò¢ìZÆ╖$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:564
- - C:\Windows\system32\net.exe
    NET USE M: \\192.168.1.206\âLâââèâAâZâôâü[$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nDe3718\1_nas2022-NAS管理-rw.bat

Filesize
1KB

MD5
fa0c8abad733422fbf67de67dc8bb6dc

SHA1
4a486a3e07d80298da1f6329734eff156263efdc

SHA256
82bb11c0bdd19ec8eae974fb3f625aaf050549065ce41f970558f2dabbd1732c

SHA512
c5befe8e7b75f6d55a45d33e7232987e5916109f8b5cb1ac46a1118c8effca03df987da28ee4b0cc5e4a2cd104c0ef4e5ef7a3123d61a434946aded600ea6016

Download Submit
memory/1204-77-0x0000000001040000-0x0000000001058000-memory.dmp

Filesize
96KB

Download
memory/1204-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1332-78-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download