3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed

Analysis

max time kernel
139s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe
Size

843KB
MD5

4e6ae89c68e8108bc0c5c91406e1b2a9
SHA1

e40e48766e0fd7c9671e3ff4cf15f98d511b23fe
SHA256

3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed
SHA512

9e549017468ef56a754b6c9580ac5ba56cd552ad9893634d89b2ffad93b796bea04f24e42199e18f65a1cc95b64e2df51b44e9ed167c7020d9dde21380ebb798
SSDEEP

6144:O+npSTk6kD5l3eV9ztJwOVkPJTG5jC0NXxN0tCNLRS9KTTYQ+rheLQIiDyIexRtb:pklDX/0tCKIvYrtxzeVkF/mLR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4180	setup.exe
604	dnusax.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dnusax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dnusax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4180	setup.exe
4180	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4180	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	80
PID 1812 wrote to memory of 4180	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	80
PID 1812 wrote to memory of 4180	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	80
PID 1812 wrote to memory of 604	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	81
PID 1812 wrote to memory of 604	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	81
PID 1812 wrote to memory of 604	1812	3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe	81

C:\Users\Admin\AppData\Local\Temp\3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe
"C:\Users\Admin\AppData\Local\Temp\3bb4b67cae173c99bc04296b9f7f1cb4fa7d0d5401cef17309c141ff1dde84ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4180
- C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\dnusax.exe
  C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\dnusax.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\dnusax.exe

Filesize
101KB

MD5
0d7b52931e7eb26ebd9feca1e2e2faa8

SHA1
6c066a28db03b5214de64a268a003e06b08602af

SHA256
a7ca37c812f2efe1ba268b0e5c6fead372a0edeeadef5200a46b6444974d3b50

SHA512
7767ee8e28acf7ad070e435f8b489b29add4bf0eeda5b6d29a278c601996053d0bf6b16fc1e5596f6d2f17c65f4078e1219bf77f584ca3664a92f0d06c95d45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\dnusax.exe

Filesize
101KB

MD5
0d7b52931e7eb26ebd9feca1e2e2faa8

SHA1
6c066a28db03b5214de64a268a003e06b08602af

SHA256
a7ca37c812f2efe1ba268b0e5c6fead372a0edeeadef5200a46b6444974d3b50

SHA512
7767ee8e28acf7ad070e435f8b489b29add4bf0eeda5b6d29a278c601996053d0bf6b16fc1e5596f6d2f17c65f4078e1219bf77f584ca3664a92f0d06c95d45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\setup.exe

Filesize
748KB

MD5
38f113954c858fd73fdc7cd510595858

SHA1
0f14502270fda8a4b91e03fed3cf281556ab6b3a

SHA256
594c320780878918b69b465d91197198915ad624170855602faeabd86154cd5c

SHA512
a467e9b8f2549852d6d05783956e84184027b2b8b90101d6671c1901e5876d07ff29cfedc4c6761c4f8c1ccc972053a0cb6acf756f4059287505bc14ab7ed579

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu93E9.tmp\setup.exe

Filesize
748KB

MD5
38f113954c858fd73fdc7cd510595858

SHA1
0f14502270fda8a4b91e03fed3cf281556ab6b3a

SHA256
594c320780878918b69b465d91197198915ad624170855602faeabd86154cd5c

SHA512
a467e9b8f2549852d6d05783956e84184027b2b8b90101d6671c1901e5876d07ff29cfedc4c6761c4f8c1ccc972053a0cb6acf756f4059287505bc14ab7ed579

Download Submit