2bbe12863ab3c12de7cac3f69c9b7f28c7adeaad2d5d9ef7c5bd1fc46068ba7b

Resubmissions

20/10/2022, 22:04

221020-1y82magef2 7

20/10/2022, 21:59

221020-1wbcksgcer 7

Analysis

max time kernel
1781s
max time network
1519s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 22:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

№337740.exe
Size

621KB
MD5

80a8881b5f6a6bd0ae6cd3e49c08eca6
SHA1

22114a29bf1e141e4bd798f64265b83402508e9f
SHA256

b43facf721aac3ad817491eb7b218d943038f31b2b99977b115097ec38196c30
SHA512

db5de782d9d992e96debe59a92b13d8e105a21cfed4cec16d12d83b113c533f34ca4e75d6e256c25cdb73a514504891b6c423a001328b70f2325ef19eafd2283
SSDEEP

12288:/eS3fY22Rjv4/0k/+d9UTVQircJlWG+jbJJ7E18gWo7Ob:V3A22i8kmdYV9rcJD+jo8b

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1664	№337740.exe
1664	№337740.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Harmoniserede\Straffefanstalterne\Henlggelses\Subangled.ini	№337740.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Skraldenglers.ini	№337740.exe
File opened for modification	C:\Windows\resources\0409\Atophan\Indboets\Trimyristin.Boa	№337740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1664	№337740.exe
Token: SeCreatePagefilePrivilege	1664	№337740.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1260	1664	№337740.exe	83
PID 1664 wrote to memory of 1260	1664	№337740.exe	83
PID 1664 wrote to memory of 1260	1664	№337740.exe	83

C:\Users\Admin\AppData\Local\Temp\№337740.exe
"C:\Users\Admin\AppData\Local\Temp\№337740.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo C:\Users\Admin\Skillemnt\Romanes\Genetableringer\proclivousness.lan
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshC0A6.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshC0A6.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
memory/1664-135-0x0000000002A20000-0x0000000002B21000-memory.dmp

Filesize
1.0MB

Download
memory/1664-136-0x0000000002A20000-0x0000000002B21000-memory.dmp

Filesize
1.0MB

Download