0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a

Analysis

max time kernel
159s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
Size

57KB
MD5

a00108069c164f31b03b92ce1429b0f0
SHA1

f1589e63fcd3a35c13bd5445a822eea36ca14a50
SHA256

0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a
SHA512

7209ad6813e5d8cf0416f51bf205694faadb3486b7e7567b23344d5e834e91fd0181123a02a22b588c9bcdd05489b6cef9bf250c8d44900817ac5fb8916ec543
SSDEEP

1536:Nxj4xoSW3p1PJgK/b2ydJa6mQzyEV2Tb5lmh/fg:njzVrPeK6ydJfFAxEC

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	uninst.exe
4668	Au_.exe

Loads dropped DLL 7 IoCs

pid	Process
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flash.scf	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\ado\myie.vbs	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
File created	C:\Program Files (x86)\Messenger\Messenger.kwq	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
File created	C:\Program Files (x86)\Messenger\taodwq.ico	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e3e-145.dat	nsis_installer_2
behavioral2/files/0x0006000000022e3e-144.dat	nsis_installer_2
behavioral2/files/0x0007000000022e3c-148.dat	nsis_installer_2
behavioral2/files/0x0007000000022e3c-147.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kwq	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kwq\ = "JSEFile"	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3512	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	81
PID 4364 wrote to memory of 3512	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	81
PID 4364 wrote to memory of 3512	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	81
PID 4364 wrote to memory of 2228	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	85
PID 4364 wrote to memory of 2228	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	85
PID 4364 wrote to memory of 2228	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	85
PID 4364 wrote to memory of 1252	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	86
PID 4364 wrote to memory of 1252	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	86
PID 4364 wrote to memory of 1252	4364	0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe	86
PID 1252 wrote to memory of 4668	1252	uninst.exe	87
PID 1252 wrote to memory of 4668	1252	uninst.exe	87
PID 1252 wrote to memory of 4668	1252	uninst.exe	87

C:\Users\Admin\AppData\Local\Temp\0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe
"C:\Users\Admin\AppData\Local\Temp\0c354e86ff6414680bf7950c746557716edc9dccdc1254e4449d727f2f612d8a.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"
  2⤵
  PID:3512
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.kwq"
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\ado\myie.vbs

Filesize
3KB

MD5
21626dc339a5b9b9fd192112f09c8bec

SHA1
d16cbdb26343739c802ce5726ff592a1ace1f260

SHA256
00602e5a43d451ce9defd2017bd0f90754c72bf2859691a8a4f2ebc9eda375fe

SHA512
9e8b56b5ef3dc27c5cb641b5f257e26eed707c5d1ba7862a4269a468e779019052cfcf874a80bfb665cbf1120f23c4aad9720e582168d713f414be6c6dfde8d6

Download Submit
C:\Program Files (x86)\Messenger\messenger.kwq

Filesize
8KB

MD5
7ff7e79e318c101fb5d3b18a4598b810

SHA1
8ff51858414079b8ef1586415b7224e8c3f5ba7e

SHA256
69f2125cda0e5e9c99839fce9fa61bd800a5ad4c047230d0dc63366690b98e97

SHA512
481ca28875d4b69d9f9d75f1a188c1953ec0b7e1f283ad2d9b15e57b89123825aa09632f6a795fde3bcbef384c09af7556f947f00693e6aca19b311876d29257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\System.dll

Filesize
11KB

MD5
5d186c26b28c0dd14e6eb78a755a2d1f

SHA1
e8f50ebf398da3bfa1242149ee205a7ad9935e66

SHA256
7f05c7d2408ec4b69287bbde91d18054075a448f11ffda4ba17d696e3b2d09e7

SHA512
c3453968867ce671542a69eb9881292f6f5ccf3a009cc55728905009f450e5711b2804c8b96ec39850d105b1819ff9faec6e8f2eb8f8b8bd625fdef817c84153

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE3FE.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogou.ini

Filesize
126B

MD5
6d02d1b0ac9c9e9b10fa80009ad780af

SHA1
d066a5cecc58b3b17d0e0984003221d2de49ea5f

SHA256
1d5b2faf2c577267e76a13dcd383b50bc6e7c5fd2073b2864cd59beb437728c3

SHA512
6d20171cc1b8458dcda2aafddf7401671894bb4f725ff52255ffcb0cc668e7cec9961a1e3a7ab765cfe1de58b364cf5f21e97ad2c22ee6aab834cc97b592a5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
3bca01d1d86de89554000fa3c1a131cd

SHA1
c98d979fb08c9cc513bf725d61079ac984506c81

SHA256
1afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d

SHA512
db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
3bca01d1d86de89554000fa3c1a131cd

SHA1
c98d979fb08c9cc513bf725d61079ac984506c81

SHA256
1afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d

SHA512
db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
3bca01d1d86de89554000fa3c1a131cd

SHA1
c98d979fb08c9cc513bf725d61079ac984506c81

SHA256
1afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d

SHA512
db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
3bca01d1d86de89554000fa3c1a131cd

SHA1
c98d979fb08c9cc513bf725d61079ac984506c81

SHA256
1afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d

SHA512
db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f

Download Submit