93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e

General

Target

93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
Size

207KB
MD5

9399e7b6aaff16cb3991886f22b9ab00
SHA1

6182712304dd5de97c7a5c58fbcc4c50b377a92b
SHA256

93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e
SHA512

ee6f72309b0c7bf4cec908c9d0c2dd2d740b33e54a8820335b7f2ec6beb0c6007f32c882a8679ef0f93333f665913cfbaee0acb5c1e33c5acf129350c161011b
SSDEEP

3072:NX7DItrfaocyTgfsqQOlJlCCsqY9P1Aq7cngeFJEjOt9FhQ/Fi48AkybWAekvwc+:NsaocyLCZs13Xcnge863opWo5j3SFBb7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1616	installer.exe
1508	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Loads dropped DLL 3 IoCs

pid	Process
1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1508	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
1508	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1616	1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	28
PID 1404 wrote to memory of 1616	1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	28
PID 1404 wrote to memory of 1616	1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	28
PID 1404 wrote to memory of 1616	1404	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	28
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30
PID 1616 wrote to memory of 1508	1616	installer.exe	30

C:\Users\Admin\AppData\Local\Temp\93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
"C:\Users\Admin\AppData\Local\Temp\93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830644 /dT131762338S /t
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830644 /dT131762338S /t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE987.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE987.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1508-71-0x0000000000789000-0x000000000079A000-memory.dmp

Filesize
68KB

Download
memory/1508-70-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-68-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-69-0x0000000000789000-0x000000000079A000-memory.dmp

Filesize
68KB

Download
memory/1616-62-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1616-66-0x0000000000C26000-0x0000000000C45000-memory.dmp

Filesize
124KB

Download
memory/1616-61-0x000007FEF34D0000-0x000007FEF3EF3000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing