42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe
Size

324KB
MD5

21d12277d8b92a7c37da22ab992e0cc0
SHA1

f57b627d0ae8cb531949183070d4f1e267cc76e6
SHA256

42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720
SHA512

f7e156067e949f5b7ac9051a28cd7a58be61ed52edf28e6fee616778501791990593627a6b57bb2a6bc1d9d65fbbaa15041961cecb00a542ba552ad4253375f4
SSDEEP

6144:8e34diyxfQnXjhU0gQiVFt6xoDxU2yTb6W37nQ9yHKVMNmObYv4Ui:SojhMHVyojut3JOMN64X

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
640	nsaAEF5.tmp
1748	nsqB0DA.tmp

Loads dropped DLL 10 IoCs

pid	Process
4972	42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe
4972	42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe
640	nsaAEF5.tmp
640	nsaAEF5.tmp
640	nsaAEF5.tmp
640	nsaAEF5.tmp
1748	nsqB0DA.tmp
1748	nsqB0DA.tmp
1748	nsqB0DA.tmp
1748	nsqB0DA.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0005000000022dff-135.dat	nsis_installer_2
behavioral2/files/0x0005000000022dff-136.dat	nsis_installer_2
behavioral2/files/0x0006000000022e03-141.dat	nsis_installer_1
behavioral2/files/0x0006000000022e03-141.dat	nsis_installer_2
behavioral2/files/0x0006000000022e03-143.dat	nsis_installer_1
behavioral2/files/0x0006000000022e03-143.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 640	4972	42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe	82
PID 4972 wrote to memory of 640	4972	42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe	82
PID 4972 wrote to memory of 640	4972	42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe	82
PID 640 wrote to memory of 1748	640	nsaAEF5.tmp	83
PID 640 wrote to memory of 1748	640	nsaAEF5.tmp	83
PID 640 wrote to memory of 1748	640	nsaAEF5.tmp	83

C:\Users\Admin\AppData\Local\Temp\42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe
"C:\Users\Admin\AppData\Local\Temp\42443e6772f97aff74202505e948e7114cd8417cd2267ded9c019c5119cbc720.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\nsaAEF5.tmp
  C:\Users\Admin\AppData\Local\Temp\nsaAEF5.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\nsqB0DA.tmp
    C:\Users\Admin\AppData\Local\Temp\nsqB0DA.tmp /idn
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsaAEF5.tmp

Filesize
281KB

MD5
5a4502698112ee7e715eaf6ff0f8c3e1

SHA1
532240194eed5eafb5553ca8c4cea39f6d85153a

SHA256
17db5d573e2d5388f6a8d7c144a7492bb5b5e2e32a6ad60eb9a9df9e9db1c134

SHA512
ade86bb7c4673648fb7b3384525e1099c293123f0fe64dd382ab246fadae4aa5e0012f8cd2262d6931206358e4c8b16e0ccafd844040003d4ea47bd90f930bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAEF5.tmp

Filesize
281KB

MD5
5a4502698112ee7e715eaf6ff0f8c3e1

SHA1
532240194eed5eafb5553ca8c4cea39f6d85153a

SHA256
17db5d573e2d5388f6a8d7c144a7492bb5b5e2e32a6ad60eb9a9df9e9db1c134

SHA512
ade86bb7c4673648fb7b3384525e1099c293123f0fe64dd382ab246fadae4aa5e0012f8cd2262d6931206358e4c8b16e0ccafd844040003d4ea47bd90f930bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseACF0.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseACF0.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB01E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB01E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB01E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB01E.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB0DA.tmp

Filesize
223KB

MD5
3767e59486163fb8f6d38d32d41d29a4

SHA1
c1033c1b84da4cf8a33917cd44238b38b692806a

SHA256
1932d0dadcd7c4d1d81facaaf4ec154a2ec6b0e8149be61f5d0abd93866458d8

SHA512
964abe0ad8b1f22598db5814cf59177362fa00f889147bd4870626ffad9000871c0b2bf34203002679ed3820021734f96dc80813690638a454a8209ac2ffa738

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB0DA.tmp

Filesize
223KB

MD5
3767e59486163fb8f6d38d32d41d29a4

SHA1
c1033c1b84da4cf8a33917cd44238b38b692806a

SHA256
1932d0dadcd7c4d1d81facaaf4ec154a2ec6b0e8149be61f5d0abd93866458d8

SHA512
964abe0ad8b1f22598db5814cf59177362fa00f889147bd4870626ffad9000871c0b2bf34203002679ed3820021734f96dc80813690638a454a8209ac2ffa738

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB25F.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB25F.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB25F.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB25F.tmp\inetc.dll

Filesize
20KB

MD5
f02155fa3e59a8fc48a74a236b2bb42e

SHA1
6d76ee8f86fb29f3352c9546250d940f1a476fb8

SHA256
096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

SHA512
8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Download Submit