ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648

Analysis

max time kernel
7s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe
Size

269KB
MD5

0070abafe25143ce2890d5e4d05af890
SHA1

a16436f4df8b6abfa070001f9c77d162643be985
SHA256

ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648
SHA512

1011038a772c4824bd699581a2c59909b95e8be47d30a3aaeb16b085ccde24c80831756e82464da794e2a8b2f209ae3f8bba06230c84e2c1a232308b4d310221
SSDEEP

6144:Vzf59Vl/6+WYjxZHhIBl+0uKUNpHTljqslPew:397hhjXyn+0wqsFew

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5088	nsxC155.tmp

Loads dropped DLL 4 IoCs

pid	Process
4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe
4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe
4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe
4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0012000000016741-138.dat	nsis_installer_1
behavioral2/files/0x0012000000016741-138.dat	nsis_installer_2
behavioral2/files/0x0012000000016741-136.dat	nsis_installer_1
behavioral2/files/0x0012000000016741-136.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 5088	4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe	83
PID 4784 wrote to memory of 5088	4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe	83
PID 4784 wrote to memory of 5088	4784	ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe	83

C:\Users\Admin\AppData\Local\Temp\ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe
"C:\Users\Admin\AppData\Local\Temp\ef25da5b72d585bb9e034ee7f1136af58f4217b23544ce95edb2338862a9c648.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\nsxC155.tmp
  C:\Users\Admin\AppData\Local\Temp\nsxC155.tmp /idn
  2⤵
  - Executes dropped EXE
  PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiC22E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC22E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC22E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC22E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB05C.tmp\inetc.dll

Filesize
12KB

MD5
dacd9a8c1987a7cd58c21a677701a1e2

SHA1
e57e10fce229b8c2b2af70954da917238af28c6a

SHA256
665b87924294340870f492b9d260bd6620109d9d2f1384a5200f7786d72f6ea1

SHA512
4dbbad9374b97c54b2342075d49fbe3b5071be9f06980d4557187053c83cf0d0619a42ae0c3928df6109f3c9c0852088f3bb213cb2d5e38a55e06c193df5bdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB05C.tmp\inetc.dll

Filesize
10KB

MD5
3f476d4f8b8c05d2e708f3fc92a946e6

SHA1
bb09ac8a882f9ad53c599f26d8cf028f16a0a55a

SHA256
26e4562c6eeb00847dab549b8a1a1b1487a267040a7c38d31f1c1ca58f4d033d

SHA512
8a6c3870f24e2350dfd8161d6584372f2a233c0d0590872e7f50bbccb1b483624f186bbe9f8c1b7cb69ca7da88b01f764d0ee16016ec19067416a8a908db5071

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB05C.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB05C.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC155.tmp

Filesize
210KB

MD5
3edc360a1f5025ca77009ca2e51d9935

SHA1
1ddbe2a2b41a8c6d17731e09010bdfaa04523e3d

SHA256
96ce26e966799e6d62fcdaa5a59d8cee0549fc4602b393225a5204e8f1e0ba33

SHA512
c309ceb31302dd49364481f634c6861c013d172ff24116d411790d5f0adaa57de19e720067184f3ed5328a5d5e112d7829870b2c91451afbd5003fd137905b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC155.tmp

Filesize
151KB

MD5
7240ed8f80e77040a5539e4f0a8bbe6f

SHA1
559035e6609db870806f9c046099498c6aaa0c12

SHA256
ad76b07aba73affc7043bb18ba803d7b781f2703456acf23ddb802aa2322cf55

SHA512
46cb2ded6ec695e436cf6c4fe116353b1c4cb07ff20c0de866914651ccaecfb105105a461f46b220832670f6d632a19ca4b77ce8f4e0b41291d6b524dab3e669

Download Submit