55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

General

Target

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
Size

30KB
MD5

f15c67d7feecac6043cbb33271b11840
SHA1

778161de13884c0af4f43a6c03d7edb5195fa54c
SHA256

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab
SHA512

8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a
SSDEEP

768:YF/VBs3L033MiUwjhab1gEm/O9NQ6tgM+8J:g2L03pULXm/O9NftgM+0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

nacl.exenacl.exe

pid process

1492 nacl.exe
564 nacl.exe

pid	process
1492	nacl.exe
564	nacl.exe

Loads dropped DLL 2 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

pid	process
1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exenacl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "\"C:\\Windows\\system32\\nacl.exe\""	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "\"C:\\Windows\\system32\\nacl.exe\""	nacl.exe

Drops file in System32 directory 2 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\nacl.exe	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
File created	C:\Windows\SysWOW64\nacl.exe	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

Drops file in Program Files directory 2 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\nacl.exe	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
File opened for modification	C:\Program Files (x86)\Common Files\nacl.exe	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nacl.exenacl.exe55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nacl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nacl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nacl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nacl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exenacl.exenacl.exe

pid	process
1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
564	nacl.exe
564	nacl.exe
1492	nacl.exe
1492	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe
564	nacl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exenacl.exenacl.exe

description	pid	process
Token: SeDebugPrivilege	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
Token: SeDebugPrivilege	1492	nacl.exe
Token: SeDebugPrivilege	564	nacl.exe
Token: 33	564	nacl.exe
Token: SeIncBasePriorityPrivilege	564	nacl.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe

description	pid	process	target process
PID 1112 wrote to memory of 1492	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 1492	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 1492	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 1492	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 564	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 564	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 564	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe
PID 1112 wrote to memory of 564	1112	55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe	nacl.exe

C:\Users\Admin\AppData\Local\Temp\55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe
"C:\Users\Admin\AppData\Local\Temp\55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\nacl.exe
"C:\Windows\system32\nacl.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Program Files (x86)\Common Files\nacl.exe
"C:\Program Files (x86)\Common Files\nacl.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
C:\Program Files (x86)\Common Files\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
C:\Windows\SysWOW64\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
C:\Windows\SysWOW64\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
\Program Files (x86)\Common Files\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
\Windows\SysWOW64\nacl.exe

Filesize
30KB

MD5
f15c67d7feecac6043cbb33271b11840

SHA1
778161de13884c0af4f43a6c03d7edb5195fa54c

SHA256
55faf249c3635ef3c3d6b75f18cbe68e876b4221b45480c058f239c39d6f5fab

SHA512
8ee3960a51c1e8acb8b26afc0d1c4e57b1eb00bbbbdc46289d16459e2cb516634a8bf2d1eaf54e97d447c71440f8fd45c2690d566de8805ad6cfdea1c7da4b6a

Download Submit
memory/564-62-0x0000000000000000-mapping.dmp

Download
memory/564-68-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/564-70-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1112-55-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-67-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-69-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads