47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe
Size

1.8MB
MD5

93b6742c20591f034168ed011ee95ccc
SHA1

d75ca95c465842f63824430504619ebbf0e2a766
SHA256

47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179
SHA512

ce710556a54c3dc28ebabc5e37b3d1a9dacf26a8b70397b7a6f7872822264f360e7ca76b42571cca0123a03f173c8256a9edd983792e0d1bebfd4d7a7c81e95d
SSDEEP

49152:vUbqTpTbGPJWf7Pza/oy2bPTiti4p8p0mJ:HTbKO6g3bb2r85

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1900	langpack_es.exe
1600	install.exe
756	tish.exe

Loads dropped DLL 14 IoCs

pid	Process
1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe
1900	langpack_es.exe
1900	langpack_es.exe
1900	langpack_es.exe
1900	langpack_es.exe
1600	install.exe
1600	install.exe
1600	install.exe
1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe
1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe
1600	install.exe
756	tish.exe
756	tish.exe
756	tish.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	langpack_es.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	langpack_es.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1132 wrote to memory of 1900	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	27
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1900 wrote to memory of 1600	1900	langpack_es.exe	28
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29
PID 1132 wrote to memory of 756	1132	47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe	29

C:\Users\Admin\AppData\Local\Temp\47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe
"C:\Users\Admin\AppData\Local\Temp\47d7ce255f28ef8cc845d39c4723551c714a38803954bfb56426d7299e27c179.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.3082.txt

Filesize
8KB

MD5
7b96b4a8cb3b330e354077b5e1b60c5c

SHA1
b9ad18b0e55fd638aeeadef6121aa96dfc618cb9

SHA256
fd2f869690999876146d25d24af460998c4500712e48175b70debd3e7c536a96

SHA512
4ac95322fed3dcb330179ee3744d4c6e1e219e0e792fdc262c257f6493c6016fe5160788c9057b6dc336b56e1ce3c4d9035d75ae50ef2a02698774f68d5517b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

Filesize
4KB

MD5
f807d3831e92955f2056ff35cb934db5

SHA1
257947f32dd72fb2bea2eae67d0fc2741142b33f

SHA256
4216bcdbd0352a52d110980800f7f5e2797668faed9bf49722bf75ef3344e79e

SHA512
0df7ed6a191a6c3960673b4c05d88d33400444401b5b191bb38bbd1801f86cd1292aeefeba045f61ddaa52a218c7f0936aad2a87ef0118fd4ec49962d58ee397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.3082.dll

Filesize
83KB

MD5
f9b8e83f4c80dfc49bc24577b7466f7f

SHA1
5b28f1a1f8f6a93787ef56a557ca10e3dfdef588

SHA256
d880d2b870aaece5ec50d95ecdeeacff87ab88443ff95e4aabb5b98d87ca5190

SHA512
268667efc09c6e6221129d857e5ca92bec1b56bf101f26c37966abc0753b0cb1a482cda642a32fd1fd7fb86865d5f0194f6940955bb9513fdde0a5148c5b5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\langpack.msi

Filesize
1.9MB

MD5
992cc49ec3ecae73f8ebc9e9315df238

SHA1
7089c818d77baf6ed03cb4c153b16cc34455ac94

SHA256
76d3f47b3fcd861619cd8b83ef1c7c835558b8f06c6bf6bb98ab50b59af93fb9

SHA512
a4bb7c0330207113fe7cf5740638c3dc6c74a52decf556377ed53f867054f125039bc778765de12f055ef2049278f7e501a190ce47fc058fa5c69e9c3e63c8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\netfx.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.3082.dll

Filesize
83KB

MD5
f9b8e83f4c80dfc49bc24577b7466f7f

SHA1
5b28f1a1f8f6a93787ef56a557ca10e3dfdef588

SHA256
d880d2b870aaece5ec50d95ecdeeacff87ab88443ff95e4aabb5b98d87ca5190

SHA512
268667efc09c6e6221129d857e5ca92bec1b56bf101f26c37966abc0753b0cb1a482cda642a32fd1fd7fb86865d5f0194f6940955bb9513fdde0a5148c5b5088

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\langpack_es.exe

Filesize
1.8MB

MD5
05cc055fd6ab4ffa5183e5307cb31e1a

SHA1
4707de45bc268f96692011e18347b88fe15e9cc8

SHA256
a30a9b9fb07718a42c4f05eba2d278bab57593c486257abef8a7a2dadf2253db

SHA512
6eb76e891912da66d696d0077907a65d1c03eab20a292acdb74bd4b363ef715f3749299bd6d70170f9ea8da55671b00e2b0c051a9ce60de140896b9d4f88e2ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4D0A.tmp\tish.exe

Filesize
7KB

MD5
28ac32071d72f7dd657adbee25b04b97

SHA1
5c23720df5939c366f34e08c56f00c5e7728261d

SHA256
f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

SHA512
02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

Download Submit
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download