d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650

Analysis

max time kernel
197s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:08

Target

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
Size

17.9MB
MD5

032df0f1f2ba47bd9309a254fbe6db4e
SHA1

fab9480bfd9d21bfb384824d2a6b2b6c14609287
SHA256

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650
SHA512

9da4762c5b3d584eaba18757e3e6b95ffa9b798ac929f6af1995f359869931f580fc6f6b776fed4215cfc8c407d3f4c2231f0c29d63b8d858ac5aba9b0ddb094
SSDEEP

393216:MnSIndpOjO2hEEvEhGGtR2pdbHuu29m5Ika2Cm+aY2mZcfHMEpTc5PfEKCoTBMw8:MSupQpvCL2pJHuf9bkJCm+asEpT2PNCT

Score

7^/10

Loads dropped DLL 3 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

pid	process
2680	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
2680	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
2680	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

Drops file in Program Files directory 3 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

description	ioc	process
File created	C:\Program Files (x86)\qq\qq.ico	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
File created	C:\Program Files (x86)\qq\qq.t	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
File created	C:\Program Files (x86)\qq\ÌÚÑ¶QQ.lnk	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

pid process

2680 d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsy6676.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6676.tmp\InstallOptions.dll

Filesize
14KB

MD5
107737e3282fefd85684f2fa3df6d1c3

SHA1
3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f

SHA256
21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0

SHA512
439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6676.tmp\InstallOptions.dll

Filesize
14KB

MD5
107737e3282fefd85684f2fa3df6d1c3

SHA1
3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f

SHA256
21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0

SHA512
439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Download Submit
memory/2680-135-0x0000000002401000-0x0000000002403000-memory.dmp

Filesize
8KB

Download