abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
Size

475KB
MD5

1134681beec8f4f1cf7db958357fe51c
SHA1

5f1d4804c398158cda20bf36c555d05d7f9b6888
SHA256

abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41
SHA512

22ea02bb98c10c6940af289739f96b95d3e20d58ec886ad44a1e8a793fbe8793e975fa3f5bc342b97cd0a843c8c9a9b8f793de785d3b61318ee0d05d2ed0f394
SSDEEP

12288:QaC2UUeVHvFhjs17FEUDTTup+Ts9PJYz5jtNcB+/TRfY4:O2beVPFhm7FjDHuzJYz5jtXTBY4

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
2064	RunDll32.exe
4896	RunDll32.exe
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe
2064	RunDll32.exe
2064	RunDll32.exe
4896	RunDll32.exe
4896	RunDll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2064	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	79
PID 2564 wrote to memory of 2064	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	79
PID 2564 wrote to memory of 2064	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	79
PID 2564 wrote to memory of 4896	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	80
PID 2564 wrote to memory of 4896	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	80
PID 2564 wrote to memory of 4896	2564	abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe	80

C:\Users\Admin\AppData\Local\Temp\abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe
"C:\Users\Admin\AppData\Local\Temp\abd5371be9d6647ddb2b74f9415b55c27c37abb4652621f9ed9559dbd563ba41.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 2564,F263FFDE6D9B4863894F9A05942CBEFA,B03BA3DDA0F447CC958CBC6ADAAB1639,6E62720A2B46455A90C571D9AB168265
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 2564,2B95D4F9D4184AAF9C1523A3CF4EA75F,0D2ED138C69C490A8DD5A88AAABC2949,6E62720A2B46455A90C571D9AB168265
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll

Filesize
850KB

MD5
c40e8c13dd03dd3829fdcd9a28a8633a

SHA1
d5b4d5fdd66fab9729a867e7096dbd91e21816ce

SHA256
d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144

SHA512
b348234e03944a403f06ee6e7924e8ba493478aba850831df9ece77aabc6a1072d5cf7f20422e920f24158998e1a3bb4abc69da496029ecb6f5574845b4258b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll

Filesize
850KB

MD5
c40e8c13dd03dd3829fdcd9a28a8633a

SHA1
d5b4d5fdd66fab9729a867e7096dbd91e21816ce

SHA256
d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144

SHA512
b348234e03944a403f06ee6e7924e8ba493478aba850831df9ece77aabc6a1072d5cf7f20422e920f24158998e1a3bb4abc69da496029ecb6f5574845b4258b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll

Filesize
850KB

MD5
c40e8c13dd03dd3829fdcd9a28a8633a

SHA1
d5b4d5fdd66fab9729a867e7096dbd91e21816ce

SHA256
d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144

SHA512
b348234e03944a403f06ee6e7924e8ba493478aba850831df9ece77aabc6a1072d5cf7f20422e920f24158998e1a3bb4abc69da496029ecb6f5574845b4258b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\OCSetupHlp.dll

Filesize
850KB

MD5
c40e8c13dd03dd3829fdcd9a28a8633a

SHA1
d5b4d5fdd66fab9729a867e7096dbd91e21816ce

SHA256
d36861185639313f291fab94a65c12deb60c2539e50b6d2ce8b6ed77b8aae144

SHA512
b348234e03944a403f06ee6e7924e8ba493478aba850831df9ece77aabc6a1072d5cf7f20422e920f24158998e1a3bb4abc69da496029ecb6f5574845b4258b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\System.dll

Filesize
11KB

MD5
be2621a78a13a56cf09e00dd98488360

SHA1
75f0539dc6af200a07cdb056cddddec595c6cfd2

SHA256
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

SHA512
b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\nsDialogs.dll

Filesize
9KB

MD5
42d9a1b3f4901cd033a9317a1ca1433c

SHA1
0507fb0257b81ab9365ab900b4274aedbfde1115

SHA256
bf01742982edb498fe9f0e4fe408eb20d1d1027df19fc2c0415bd54ab9302cfd

SHA512
bbfbdc13b0792340c3ec8c8b0ec2426c5890fc4a649eafe6bf1267d7310d27da0abd74fdc5702f849b3604fa569191250747058de84b217841ba924c2a06c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\nsDialogs.dll

Filesize
9KB

MD5
42d9a1b3f4901cd033a9317a1ca1433c

SHA1
0507fb0257b81ab9365ab900b4274aedbfde1115

SHA256
bf01742982edb498fe9f0e4fe408eb20d1d1027df19fc2c0415bd54ab9302cfd

SHA512
bbfbdc13b0792340c3ec8c8b0ec2426c5890fc4a649eafe6bf1267d7310d27da0abd74fdc5702f849b3604fa569191250747058de84b217841ba924c2a06c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\skinnedbutton.dll

Filesize
5KB

MD5
ab34d8a54627f76d11bb3a5099f266bf

SHA1
f16254263376227b4944c4e0e7694262d405a95c

SHA256
f1f408c3d9ceef9c86662cea55479147c119bc5e4aa281942f3e6907800406a9

SHA512
89d98ea1edc472825ff7a0138f7d65450c3ced986ae9c3daae62a0d836e32ff0da5935144aec9972457e52d6de6ab39a03d1d224d7167ffe9b087cd7ba43f93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm674B.tmp\skinnedbutton.dll

Filesize
5KB

MD5
ab34d8a54627f76d11bb3a5099f266bf

SHA1
f16254263376227b4944c4e0e7694262d405a95c

SHA256
f1f408c3d9ceef9c86662cea55479147c119bc5e4aa281942f3e6907800406a9

SHA512
89d98ea1edc472825ff7a0138f7d65450c3ced986ae9c3daae62a0d836e32ff0da5935144aec9972457e52d6de6ab39a03d1d224d7167ffe9b087cd7ba43f93b

Download Submit
memory/2564-143-0x0000000003191000-0x0000000003193000-memory.dmp

Filesize
8KB

Download