ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe
Size

493KB
MD5

c16c93632c1ca90d7b8f7291baf6b611
SHA1

883db11aadab4fb63c1cfdd8d898f8e21c4b4edb
SHA256

ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80
SHA512

ac2c07a2f3df09fd4e3b354e0a6b1bdd3e0215a5c546dffb9724c453a5a5ae39798ebc1bd55e5f5366a6173c5d1b00686eb4bc391c9e8a0e3a6c55bb9a78a7f5
SSDEEP

12288:pKY4ObiNLb1XPSAkwNuYsmiMA5/Zy3jze4Ut:wWbilb8w3smiMANKpUt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5040	Au_.exe

Loads dropped DLL 8 IoCs

pid	Process
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe
5040	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 5040	3108	ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe	82
PID 3108 wrote to memory of 5040	3108	ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe	82
PID 3108 wrote to memory of 5040	3108	ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe	82

C:\Users\Admin\AppData\Local\Temp\ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe
"C:\Users\Admin\AppData\Local\Temp\ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\System.dll

Filesize
11KB

MD5
535501f2cec26becb4c704e6c54604bd

SHA1
1227b0660de525a98d1056845d55928502d11c0e

SHA256
6887e6328885d1cb97abb9f87418ae722103f6b909cdfdc2c30f7c3493de4b88

SHA512
72c25244ae2aa875d5e845960d67439dbc7dab7d8ec5bc8ef22b1991dec02fe635535bcd7145584fbf67083b1214c2c534ad47ffd5eb7a33dc3ceef689341540

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\dui.dll

Filesize
94KB

MD5
6d29b9e36d1d13e16a9fa2466fe1686d

SHA1
ebbb5ba4b2d71257226f2ca9795b482889d50e89

SHA256
082b34d75267dd370523d727143bab6fe86a9b2077aecdc7740474c6bb2cbafc

SHA512
9d644ba4c17ec30fb3590326654b5e5e143b76a2727046ea29f779643db46d701f1dd123d8842cda94905341a943f26eb192f3f717b6fd3e0474edeb28939473

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\nsDialogs.dll

Filesize
9KB

MD5
3b564844c7922642b206911dd24ff2c9

SHA1
d96b659ba0dfe67949aa4adc2172059e2bdd114d

SHA256
bd2ae551c88f9891aafcb457dbc3e5ae14cdad1b5a5c38c87ee0dd51b2cadd1b

SHA512
ae47e95f247358166473d4d7725f71dcf50379eb8d38817cce095b4065fc999b5eef02bc7b610cb5ca09493e850532e203aa912bbcf86da41899b2be6b78c354

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
493KB

MD5
c16c93632c1ca90d7b8f7291baf6b611

SHA1
883db11aadab4fb63c1cfdd8d898f8e21c4b4edb

SHA256
ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80

SHA512
ac2c07a2f3df09fd4e3b354e0a6b1bdd3e0215a5c546dffb9724c453a5a5ae39798ebc1bd55e5f5366a6173c5d1b00686eb4bc391c9e8a0e3a6c55bb9a78a7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
493KB

MD5
c16c93632c1ca90d7b8f7291baf6b611

SHA1
883db11aadab4fb63c1cfdd8d898f8e21c4b4edb

SHA256
ff6b009919f459eb4c7e77399d5faef7fc12f42f23c96ff0454fd8ae65325b80

SHA512
ac2c07a2f3df09fd4e3b354e0a6b1bdd3e0215a5c546dffb9724c453a5a5ae39798ebc1bd55e5f5366a6173c5d1b00686eb4bc391c9e8a0e3a6c55bb9a78a7f5

Download Submit