de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351

Analysis

max time kernel
168s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:55

Target

de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe
Size

82KB
MD5

ecf20a637b33a61f4eae6dadc2b0e1f9
SHA1

55519b8bb5ee5a27f932aa268193a34a292c9d70
SHA256

de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351
SHA512

446553c8706bf5f4708134bb374f9b77d38563b92a5e02b58fdcd17ca84ebbb58c906be484e7eeab8234f8903101577f17928b1a2e498baa44bb7aeba81d0d30
SSDEEP

1536:v81yXR5WQDW4ep7HKMbwM3kPARpY1Ihce/CODuvogVMlCuvogZMlaHgvaU0V:v81yX7iRpueaOVHgvaU0V

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

nyrtuc.exe

pid process

884 nyrtuc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

604 cmd.exe

pid	process
884	nyrtuc.exe

pid	process
604	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

description	ioc	process
File created	C:\Windows\nyrtuc.exe	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe
File opened for modification	C:\Windows\nyrtuc.exe	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

description pid process

Token: SeIncBasePriorityPrivilege 1812 de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1812	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe

description	pid	process	target process
PID 1812 wrote to memory of 604	1812	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe	cmd.exe
PID 1812 wrote to memory of 604	1812	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe	cmd.exe
PID 1812 wrote to memory of 604	1812	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe	cmd.exe
PID 1812 wrote to memory of 604	1812	de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DE0E8A~1.EXE > nul
2⤵
- Deletes itself
PID:604

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\nyrtuc.exe

Filesize
82KB

MD5
ecf20a637b33a61f4eae6dadc2b0e1f9

SHA1
55519b8bb5ee5a27f932aa268193a34a292c9d70

SHA256
de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351

SHA512
446553c8706bf5f4708134bb374f9b77d38563b92a5e02b58fdcd17ca84ebbb58c906be484e7eeab8234f8903101577f17928b1a2e498baa44bb7aeba81d0d30

Download Submit
C:\Windows\nyrtuc.exe

Filesize
82KB

MD5
ecf20a637b33a61f4eae6dadc2b0e1f9

SHA1
55519b8bb5ee5a27f932aa268193a34a292c9d70

SHA256
de0e8aaa23a718d0207558c60b36270e900775cf8a1ecfb7e89e3a3d6fd1d351

SHA512
446553c8706bf5f4708134bb374f9b77d38563b92a5e02b58fdcd17ca84ebbb58c906be484e7eeab8234f8903101577f17928b1a2e498baa44bb7aeba81d0d30

Download Submit
memory/604-57-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download