869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 04:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe
Size

242KB
MD5

a955e150e8cfaaa79ed496ff224299e5
SHA1

172dff8103efaf07bad7fb569785d3473f30ed01
SHA256

869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368
SHA512

d636a7f192dc477792d47aa78b5d71d816a82ef100d42324b174fe09de975d5eb5f63d001c7e18e38c0e5b492f8a8d06fe3dcf26c2ee01194e3fe0b764ae68a8
SSDEEP

6144:OTq+gcUeIxn3Zwc3wGCJcY/ptHMu9HgyIwV:iWcUeIxpwc94/p60IwV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
912	setup.exe

Loads dropped DLL 7 IoCs

pid	Process
1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe
912	setup.exe
912	setup.exe
912	setup.exe
912	setup.exe
912	setup.exe
912	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x00090000000122e0-55.dat	nsis_installer_1
behavioral1/files/0x00090000000122e0-55.dat	nsis_installer_2
behavioral1/files/0x00090000000122e0-57.dat	nsis_installer_1
behavioral1/files/0x00090000000122e0-57.dat	nsis_installer_2
behavioral1/files/0x00090000000122e0-59.dat	nsis_installer_1
behavioral1/files/0x00090000000122e0-59.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1536	schtasks.exe
1748	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 1768 wrote to memory of 912	1768	869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe	27
PID 912 wrote to memory of 1544	912	setup.exe	30
PID 912 wrote to memory of 1544	912	setup.exe	30
PID 912 wrote to memory of 1544	912	setup.exe	30
PID 912 wrote to memory of 1544	912	setup.exe	30
PID 912 wrote to memory of 1536	912	setup.exe	32
PID 912 wrote to memory of 1536	912	setup.exe	32
PID 912 wrote to memory of 1536	912	setup.exe	32
PID 912 wrote to memory of 1536	912	setup.exe	32
PID 912 wrote to memory of 1748	912	setup.exe	34
PID 912 wrote to memory of 1748	912	setup.exe	34
PID 912 wrote to memory of 1748	912	setup.exe	34
PID 912 wrote to memory of 1748	912	setup.exe	34

C:\Users\Admin\AppData\Local\Temp\869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe
"C:\Users\Admin\AppData\Local\Temp\869c657a03dd28a3cc6de33db019e756d28721df3dcdbd4aec488e73f126b368.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\nsyF154.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyF154.tmp\setup.exe" /S /GEN /WRP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /End /TN "Genius"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /TN "Genius" /XML "C:\Users\Admin\AppData\Local\Temp\task5481.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1536
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /TN "Genius_Interval" /F /XML "C:\Users\Admin\AppData\Local\Temp\task5481.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyF154.tmp\setup.exe

Filesize
240KB

MD5
0ba797b8bb7c36307d0f12d1512f773e

SHA1
1d3bdf8a6b337b75de919a0b299360e8a7fb928e

SHA256
de4a5a2c0392ed88c1575e2dc4c74978ebb45e541a5204e753304db294c458c2

SHA512
be873f3aecd3e20b307d4b64875bc31a87f24f31cf0233ecf0c512b164eca46578793a60060650c8da2665df1df5e7e8485fa6fa36d733964a3c8ac768a20d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF154.tmp\setup.exe

Filesize
240KB

MD5
0ba797b8bb7c36307d0f12d1512f773e

SHA1
1d3bdf8a6b337b75de919a0b299360e8a7fb928e

SHA256
de4a5a2c0392ed88c1575e2dc4c74978ebb45e541a5204e753304db294c458c2

SHA512
be873f3aecd3e20b307d4b64875bc31a87f24f31cf0233ecf0c512b164eca46578793a60060650c8da2665df1df5e7e8485fa6fa36d733964a3c8ac768a20d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\task5481.xml

Filesize
1KB

MD5
83f1b4fad5dd451c3ff558bce02c6c92

SHA1
005fb0cd6c4701ca5f3db66ff8553b98ec61903d

SHA256
90b4356dfcec65833f39a9b03ab8cc57760f01f132ed38a353c0c2430a20b49d

SHA512
0c8837d545e86979b382126443c1e366723616b8b78f300a43cf2adcfe5ed7a9e974bf639794a0d12d9dd52ea47db1d7963aeb820169338a5d39035a59c2462b

Download Submit
C:\Users\Admin\AppData\Local\Temp\task5481.xml

Filesize
1KB

MD5
87af84b3e2504484fa9a3f78aa822d49

SHA1
b55755f0154bb3f48fcacfaae55c4635d79a96fa

SHA256
ac920a3e9447dac6757dd5c1902608d0a3c8ce47780a5d7823ac418bac0d2a31

SHA512
5ab8aa25fc140033d46e9d870d6540175ccab3cc999a93c45595eb47d81f1055f355fc4cd6604463d76a259d5a8a08db9bbf3ccab6ee29ddf1181d9a3d7ae618

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF154.tmp\setup.exe

Filesize
240KB

MD5
0ba797b8bb7c36307d0f12d1512f773e

SHA1
1d3bdf8a6b337b75de919a0b299360e8a7fb928e

SHA256
de4a5a2c0392ed88c1575e2dc4c74978ebb45e541a5204e753304db294c458c2

SHA512
be873f3aecd3e20b307d4b64875bc31a87f24f31cf0233ecf0c512b164eca46578793a60060650c8da2665df1df5e7e8485fa6fa36d733964a3c8ac768a20d7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\elar.dll

Filesize
48KB

MD5
dea47f3e055e149ed4c8660a875bd523

SHA1
751e6903e15d4de8f046caeab95aa172d4e7bfd4

SHA256
c0b49cd1a7497f0f0c4bc2ddc08a1d161b5971b2286d7de289b6921dcfec4657

SHA512
fbb2ba8673360078e014480cf063b7ea095caae1c50ba9153e789bf83f3ff6108a121c851cb3144ffd3eb7a3d4f8a40491c57f5dcf8612873eefba8a914d7886

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\inetc.dll

Filesize
25KB

MD5
29e2dcdfb57ee3ab5e2bbc2fc3c42f02

SHA1
bd6cafcce5b70ee15311f9f53e9fd4aac819ccda

SHA256
2b7a69e98ed4975fd4eade513cff17099c43b3eebe7e7641696d1d20e8e14b2f

SHA512
f71c981b3b5308566b56156462d106ebf8e49a32e55b70891f9d70338941afd347cb4df374fe38b9b3d7309f63dd75a7c80ebe02bb8941d558cd638a6f8daf7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\inetc.dll

Filesize
25KB

MD5
29e2dcdfb57ee3ab5e2bbc2fc3c42f02

SHA1
bd6cafcce5b70ee15311f9f53e9fd4aac819ccda

SHA256
2b7a69e98ed4975fd4eade513cff17099c43b3eebe7e7641696d1d20e8e14b2f

SHA512
f71c981b3b5308566b56156462d106ebf8e49a32e55b70891f9d70338941afd347cb4df374fe38b9b3d7309f63dd75a7c80ebe02bb8941d558cd638a6f8daf7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\schthlp.dll

Filesize
89KB

MD5
6185fea13045e86d7722d3480e24ce86

SHA1
dd9911deedcbd2b4221a1ba23ec345c01e3f4e49

SHA256
ff8d782fac54ba64adc8309d902a407b79c413dcd106a00d17e614309ea0f245

SHA512
4294dafe24db8a3cd3019a3e2a909211c75a5d93b93743dc9068c555c1019bc8f53b519041024bbf4a325b86726e1857b4e3b89c515be25d511d8d504a541c7c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF2D9.tmp\userid.dll

Filesize
52KB

MD5
067e9ac67923a2cad1d67b2cefa0254e

SHA1
9cb7a0e15f13b4b5cc021154640d256b99457a4d

SHA256
9715df34f2b271034c3695ff1a027c9e6cb7f7335014ac274fd28427c31f490f

SHA512
5597fdd981f5cb057280c41c57f29e359bc6bb572d583f11516f88923a3f10e92410735e9bc156be7ea79e0462b038884c7279eaaed71a5e54be72d64825e1c5

Download Submit
memory/912-63-0x0000000000B30000-0x0000000000B4A000-memory.dmp

Filesize
104KB

Download
memory/912-66-0x0000000000B50000-0x0000000000B68000-memory.dmp

Filesize
96KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads