813405f2ccb554b4098235b44606aa484902412788803fb4823de97f44a61a8a

Analysis

max time kernel
119s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1_nas2022-NAS管理-rw.exe
Size

81KB
MD5

6a9c1fd245ee2350ee7f1e27a36fb0ff
SHA1

4b3e3d9fb614ac6a82c689112d9f237bff06d1bd
SHA256

b45a262789e9f238dc8c00b9640db1c40b4cc08ceb365ddff53b946ff85d9dd8
SHA512

51146e59fe8c191bb9881d67b4d5551355ec5fdbdf64363daa0490ef22054d30df661f1d576754a3128946f16ad18fd0fd9f2b6243d4a6d4593ad6de8f264bed
SSDEEP

768:LRV8cOu2NOSnJLnRF8vpSOQmiqLBbBC2Kb8l9hVh2+E4AHwc/o+9IHqHYDZhYWFz:rBmOSn+MOQBqNbHKQ3hfEXN8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1_nas2022-NAS管理-rw.exe

Enumerates connected drives 3 TTPs 33 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\Z:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\W:	net.exe
File opened (read-only)	\??\H:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\U:	net.exe
File opened (read-only)	\??\J:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\Z:	net.exe
File opened (read-only)	\??\M:	net.exe
File opened (read-only)	\??\L:	net.exe
File opened (read-only)	\??\I:	net.exe
File opened (read-only)	\??\L:	net.exe
File opened (read-only)	\??\P:	net.exe
File opened (read-only)	\??\X:	net.exe
File opened (read-only)	\??\T:	net.exe
File opened (read-only)	\??\N:	net.exe
File opened (read-only)	\??\Q:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\S:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\V:	net.exe
File opened (read-only)	\??\R:	net.exe
File opened (read-only)	\??\O:	net.exe
File opened (read-only)	\??\K:	net.exe
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\X:	net.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4984	5096	1_nas2022-NAS管理-rw.exe	84
PID 5096 wrote to memory of 4984	5096	1_nas2022-NAS管理-rw.exe	84
PID 4984 wrote to memory of 4948	4984	cmd.exe	87
PID 4984 wrote to memory of 4948	4984	cmd.exe	87
PID 4984 wrote to memory of 4036	4984	cmd.exe	88
PID 4984 wrote to memory of 4036	4984	cmd.exe	88
PID 4984 wrote to memory of 3480	4984	cmd.exe	89
PID 4984 wrote to memory of 3480	4984	cmd.exe	89
PID 4984 wrote to memory of 4632	4984	cmd.exe	90
PID 4984 wrote to memory of 4632	4984	cmd.exe	90
PID 4984 wrote to memory of 3396	4984	cmd.exe	91
PID 4984 wrote to memory of 3396	4984	cmd.exe	91
PID 4984 wrote to memory of 4692	4984	cmd.exe	92
PID 4984 wrote to memory of 4692	4984	cmd.exe	92
PID 4984 wrote to memory of 4328	4984	cmd.exe	93
PID 4984 wrote to memory of 4328	4984	cmd.exe	93
PID 4984 wrote to memory of 4560	4984	cmd.exe	94
PID 4984 wrote to memory of 4560	4984	cmd.exe	94
PID 4984 wrote to memory of 4852	4984	cmd.exe	95
PID 4984 wrote to memory of 4852	4984	cmd.exe	95
PID 4984 wrote to memory of 3668	4984	cmd.exe	96
PID 4984 wrote to memory of 3668	4984	cmd.exe	96
PID 4984 wrote to memory of 1884	4984	cmd.exe	97
PID 4984 wrote to memory of 1884	4984	cmd.exe	97
PID 4984 wrote to memory of 5048	4984	cmd.exe	98
PID 4984 wrote to memory of 5048	4984	cmd.exe	98
PID 4984 wrote to memory of 4456	4984	cmd.exe	99
PID 4984 wrote to memory of 4456	4984	cmd.exe	99
PID 4984 wrote to memory of 5032	4984	cmd.exe	100
PID 4984 wrote to memory of 5032	4984	cmd.exe	100
PID 4984 wrote to memory of 1792	4984	cmd.exe	101
PID 4984 wrote to memory of 1792	4984	cmd.exe	101
PID 4984 wrote to memory of 3624	4984	cmd.exe	102
PID 4984 wrote to memory of 3624	4984	cmd.exe	102
PID 4984 wrote to memory of 5080	4984	cmd.exe	103
PID 4984 wrote to memory of 5080	4984	cmd.exe	103
PID 4984 wrote to memory of 1844	4984	cmd.exe	104
PID 4984 wrote to memory of 1844	4984	cmd.exe	104
PID 4984 wrote to memory of 972	4984	cmd.exe	106
PID 4984 wrote to memory of 972	4984	cmd.exe	106
PID 4984 wrote to memory of 3044	4984	cmd.exe	107
PID 4984 wrote to memory of 3044	4984	cmd.exe	107
PID 4984 wrote to memory of 3236	4984	cmd.exe	108
PID 4984 wrote to memory of 3236	4984	cmd.exe	108
PID 4984 wrote to memory of 4388	4984	cmd.exe	120
PID 4984 wrote to memory of 4388	4984	cmd.exe	120
PID 4984 wrote to memory of 4232	4984	cmd.exe	121
PID 4984 wrote to memory of 4232	4984	cmd.exe	121
PID 4984 wrote to memory of 1796	4984	cmd.exe	122
PID 4984 wrote to memory of 1796	4984	cmd.exe	122
PID 4984 wrote to memory of 1812	4984	cmd.exe	123
PID 4984 wrote to memory of 1812	4984	cmd.exe	123
PID 4984 wrote to memory of 3456	4984	cmd.exe	124
PID 4984 wrote to memory of 3456	4984	cmd.exe	124
PID 4984 wrote to memory of 3400	4984	cmd.exe	125
PID 4984 wrote to memory of 3400	4984	cmd.exe	125
PID 4984 wrote to memory of 3476	4984	cmd.exe	126
PID 4984 wrote to memory of 3476	4984	cmd.exe	126
PID 4984 wrote to memory of 4404	4984	cmd.exe	127
PID 4984 wrote to memory of 4404	4984	cmd.exe	127
PID 4984 wrote to memory of 1724	4984	cmd.exe	128
PID 4984 wrote to memory of 1724	4984	cmd.exe	128
PID 4984 wrote to memory of 2732	4984	cmd.exe	129
PID 4984 wrote to memory of 2732	4984	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\1_nas2022-NAS管理-rw.exe
"C:\Users\Admin\AppData\Local\Temp\1_nas2022-NAS管理-rw.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nDeC83\1_nas2022-NAS管理-rw.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\net.exe
    NET USE H: /delete
    3⤵
    - Enumerates connected drives
    PID:4948
- - C:\Windows\system32\net.exe
    NET USE I: /delete
    3⤵
    - Enumerates connected drives
    PID:4036
- - C:\Windows\system32\net.exe
    NET USE J: /delete
    3⤵
    - Enumerates connected drives
    PID:3480
- - C:\Windows\system32\net.exe
    NET USE K: /delete
    3⤵
    - Enumerates connected drives
    PID:4632
- - C:\Windows\system32\net.exe
    NET USE L: /delete
    3⤵
    - Enumerates connected drives
    PID:3396
- - C:\Windows\system32\net.exe
    NET USE M: /delete
    3⤵
    - Enumerates connected drives
    PID:4692
- - C:\Windows\system32\net.exe
    NET USE N: /delete
    3⤵
    - Enumerates connected drives
    PID:4328
- - C:\Windows\system32\net.exe
    NET USE O: /delete
    3⤵
    - Enumerates connected drives
    PID:4560
- - C:\Windows\system32\net.exe
    NET USE P: /delete
    3⤵
    - Enumerates connected drives
    PID:4852
- - C:\Windows\system32\net.exe
    NET USE Q: /delete
    3⤵
    - Enumerates connected drives
    PID:3668
- - C:\Windows\system32\net.exe
    NET USE R: /delete
    3⤵
    - Enumerates connected drives
    PID:1884
- - C:\Windows\system32\net.exe
    NET USE S: /delete
    3⤵
    - Enumerates connected drives
    PID:5048
- - C:\Windows\system32\net.exe
    NET USE T: /delete
    3⤵
    - Enumerates connected drives
    PID:4456
- - C:\Windows\system32\net.exe
    NET USE U: /delete
    3⤵
    - Enumerates connected drives
    PID:5032
- - C:\Windows\system32\net.exe
    NET USE V: /delete
    3⤵
    - Enumerates connected drives
    PID:1792
- - C:\Windows\system32\net.exe
    NET USE W: /delete
    3⤵
    - Enumerates connected drives
    PID:3624
- - C:\Windows\system32\net.exe
    NET USE X: /delete
    3⤵
    - Enumerates connected drives
    PID:5080
- - C:\Windows\system32\net.exe
    NET USE Y: /delete
    3⤵
    - Enumerates connected drives
    PID:1844
- - C:\Windows\system32\net.exe
    NET USE Z: /delete
    3⤵
    - Enumerates connected drives
    PID:972
- - C:\Windows\system32\cmdkey.exe
    cmdkey /add:192.168.1.206 /user:sgsgictsup /pass:sgictsup-rw33122060afk
    3⤵
    PID:3044
- - C:\Windows\system32\net.exe
    NET USE N: \\192.168.1.206\Drivers /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3236
- - C:\Windows\system32\net.exe
    NET USE O: \\192.168.1.206\Information /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:4388
- - C:\Windows\system32\net.exe
    NET USE P: \\192.168.1.206\privacy /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:4232
- - C:\Windows\system32\net.exe
    NET USE R: \\192.168.1.206\è╟ù¥òö /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1796
- - C:\Windows\system32\net.exe
    NET USE S: \\192.168.1.206\îoù¥Ä║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1812
- - C:\Windows\system32\net.exe
    NET USE T: \\192.168.1.206\É}ÅæÄ║ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3456
- - C:\Windows\system32\net.exe
    NET USE U: \\192.168.1.206\ôîï₧ò█êτÉΩûσèwìZ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3400
- - C:\Windows\system32\net.exe
    NET USE V: \\192.168.1.206\É╣ÉSèwëÇùcÆtëÇ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3476
- - C:\Windows\system32\net.exe
    NET USE W: \\192.168.1.206\âTâôâüEâZâVâèâA /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:4404
- - C:\Windows\system32\net.exe
    NET USE X: \\192.168.1.206\Åεò±âVâXâeâÇÄ║$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:1724
- - C:\Windows\system32\net.exe
    NET USE Y: \\192.168.1.206\è╟ù¥òöÄûû▒Æ╖$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:2732
- - C:\Windows\system32\net.exe
    NET USE Z: \\192.168.1.206\NAS-backup$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:3672
- - C:\Windows\system32\net.exe
    NET USE L: \\192.168.1.206\ï│û▒òöò¢ìZÆ╖$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:5088
- - C:\Windows\system32\net.exe
    NET USE M: \\192.168.1.206\âLâââèâAâZâôâü[$ /PERSISTENT:YES
    3⤵
    - Enumerates connected drives
    PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nDeC83\1_nas2022-NAS管理-rw.bat

Filesize
1KB

MD5
fa0c8abad733422fbf67de67dc8bb6dc

SHA1
4a486a3e07d80298da1f6329734eff156263efdc

SHA256
82bb11c0bdd19ec8eae974fb3f625aaf050549065ce41f970558f2dabbd1732c

SHA512
c5befe8e7b75f6d55a45d33e7232987e5916109f8b5cb1ac46a1118c8effca03df987da28ee4b0cc5e4a2cd104c0ef4e5ef7a3123d61a434946aded600ea6016

Download Submit
memory/5096-132-0x00000000008C0000-0x00000000008D8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads