268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537

Analysis

max time kernel
46s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 21:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe
Size

181KB
MD5

80120559b647ec4b184b8a63e166fe50
SHA1

c7542cbefc19644f920e699e156fed3632a4b773
SHA256

268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537
SHA512

a8ef9c39f6641df9426be439ba803b97bec2b811461c2f137881c65abc56d1bebb41016f36dc94821eccd7f97496bad34924abd8185fba565d6ac61666226035
SSDEEP

3072:+gXdZt9P6D3XJtphJ+Cgmw5ekw6dAFBd9excKkMVyD5J/lYdphpLhRfid:+e34HphJngmw5BwFFBd9exsDWdphp7qd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
580	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe
1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe
1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe
1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27
PID 1308 wrote to memory of 580	1308	268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe	27

C:\Users\Admin\AppData\Local\Temp\268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe
"C:\Users\Admin\AppData\Local\Temp\268caa1686d7ed9864888d177482354b2ae56acc625633d5ad46ef32c3b8a537.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\nst550.tmp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\nst550.tmp\setup.exe
  2⤵
  - Executes dropped EXE
  PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst550.tmp\setup.exe

Filesize
96KB

MD5
2335fe0014cd260e6b18a28df1a1c027

SHA1
c674415abda5832fcc0a13d656efad9bcc605c42

SHA256
200060528c73be76d1a29518ea42cf21a95d3f65af7182dd06b97ee92ff5e312

SHA512
26babb5d306cfda335a19a106f6d72b368baba946c7aaeeab7e6665288a82fa432ebb16548859cf35548a405552b6b1859777e3fe8cdc8fcbd73202455234ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst550.tmp\setup.exe

Filesize
96KB

MD5
2335fe0014cd260e6b18a28df1a1c027

SHA1
c674415abda5832fcc0a13d656efad9bcc605c42

SHA256
200060528c73be76d1a29518ea42cf21a95d3f65af7182dd06b97ee92ff5e312

SHA512
26babb5d306cfda335a19a106f6d72b368baba946c7aaeeab7e6665288a82fa432ebb16548859cf35548a405552b6b1859777e3fe8cdc8fcbd73202455234ff9

Download Submit
\Users\Admin\AppData\Local\Temp\nst550.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nst550.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nst550.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst550.tmp\setup.exe

Filesize
96KB

MD5
2335fe0014cd260e6b18a28df1a1c027

SHA1
c674415abda5832fcc0a13d656efad9bcc605c42

SHA256
200060528c73be76d1a29518ea42cf21a95d3f65af7182dd06b97ee92ff5e312

SHA512
26babb5d306cfda335a19a106f6d72b368baba946c7aaeeab7e6665288a82fa432ebb16548859cf35548a405552b6b1859777e3fe8cdc8fcbd73202455234ff9

Download Submit
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download