17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe
Size

764KB
MD5

c45e484369e6ca2c0ef71081ccf4ebcc
SHA1

0e0c088f3c21c38bd632b0e2f17f9d92380d927f
SHA256

17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432
SHA512

3f5f695ef174767fc2ed0186271c4abb13af4f96f1363ae9d932a4bb4002314f76ea6193c60e7d85ef27670298ffe7b6cdd6a8a93a91fdd00f28e52f47a3c4cc
SSDEEP

12288:u6sYsxzMehtfiAlpoEjmWIpNNtT9g7l9uf+tUnmSkb+whmM95:rpsFjrpo0mNjU4vbwn

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

984 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

pid process

1048 17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

pid	process
984	cmd.exe

pid	process
1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nisswev = "\"C:\\Users\\Admin\\AppData\\Roaming\\GissRun.exe\""	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe

description	pid	process	target process
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe
PID 1048 wrote to memory of 984	1048	17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe
"C:\Users\Admin\AppData\Local\Temp\17e067dabe2239adf25b6f748c2bee8e255912632033188b00b685f0142e7432.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c \DelUS.bat
2⤵
- Deletes itself
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
10cea5c9b92cdcba370ad6d2c0b99caf

SHA1
a1e74474e137983da9183a6fdd04b2d4c494d070

SHA256
934c2aacf5dc7936c216c9e728726b4f1d60c7c5d2d5701499c96c21dfdee397

SHA512
fc9fb30a761db8a2cf46bfaaa38ebe4b9b8fd12d8831c88c09f6952974df4b0e293541a83c0811cd7d12b73f0d4d54606a40be00fa0eea33d2abb1b9aeb95c1b

Download Submit
\Users\Admin\AppData\Local\Temp\nso1690.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
memory/984-56-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download