Analysis
-
max time kernel
257s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe
Resource
win10v2004-20220812-en
General
-
Target
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe
-
Size
204KB
-
MD5
506208625ac93839c284cbfdfd05b9fe
-
SHA1
067ecb589cb5f75ee1c596cc9b1928f7bcca9f1d
-
SHA256
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792
-
SHA512
b7b8282e0f71653033fa8364335094753f9fc8aa0a118bf7147a314246195008b914f76ba6cb609764be617aef2bd0b57d7a651cea70b93ef17e11a4906d1d70
-
SSDEEP
3072:+Vr+bRN2K57jQpI6d27GVV+FWl11oQB7t9X7aOQC:O+vF57jQS6dQGVVmWOQFL7aOQC
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exenwleul.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nwleul.exe -
Executes dropped EXE 1 IoCs
Processes:
nwleul.exepid process 912 nwleul.exe -
Loads dropped DLL 2 IoCs
Processes:
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exepid process 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
nwleul.exe6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /c" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /w" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /o" nwleul.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /t" 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /t" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /y" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /h" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /g" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /i" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /u" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /s" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /x" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /j" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /n" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /l" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /d" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /q" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /b" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /v" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /m" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /e" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /p" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /a" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /z" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /f" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /k" nwleul.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwleul = "C:\\Users\\Admin\\nwleul.exe /r" nwleul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exenwleul.exepid process 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe 912 nwleul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exenwleul.exepid process 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe 912 nwleul.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exedescription pid process target process PID 540 wrote to memory of 912 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe nwleul.exe PID 540 wrote to memory of 912 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe nwleul.exe PID 540 wrote to memory of 912 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe nwleul.exe PID 540 wrote to memory of 912 540 6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe nwleul.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe"C:\Users\Admin\AppData\Local\Temp\6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\nwleul.exe"C:\Users\Admin\nwleul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\nwleul.exeFilesize
204KB
MD58563625f9e22bb093789198b0fa04d53
SHA11a0574acc6063ac2b0675f6e1cf2bbe92a40534b
SHA256a29014cbdbed21034616ffcad9f202433076be11bc6fa7a31fdfbbbcbf1c2500
SHA512ef169894c893c6f96e9d438696cd017d41901c89f6b59e93f671153176d98d385ed0a2ca9744a9883e1013003e198f932199b9707a63beedc6d8c2eceab0b245
-
C:\Users\Admin\nwleul.exeFilesize
204KB
MD58563625f9e22bb093789198b0fa04d53
SHA11a0574acc6063ac2b0675f6e1cf2bbe92a40534b
SHA256a29014cbdbed21034616ffcad9f202433076be11bc6fa7a31fdfbbbcbf1c2500
SHA512ef169894c893c6f96e9d438696cd017d41901c89f6b59e93f671153176d98d385ed0a2ca9744a9883e1013003e198f932199b9707a63beedc6d8c2eceab0b245
-
\Users\Admin\nwleul.exeFilesize
204KB
MD58563625f9e22bb093789198b0fa04d53
SHA11a0574acc6063ac2b0675f6e1cf2bbe92a40534b
SHA256a29014cbdbed21034616ffcad9f202433076be11bc6fa7a31fdfbbbcbf1c2500
SHA512ef169894c893c6f96e9d438696cd017d41901c89f6b59e93f671153176d98d385ed0a2ca9744a9883e1013003e198f932199b9707a63beedc6d8c2eceab0b245
-
\Users\Admin\nwleul.exeFilesize
204KB
MD58563625f9e22bb093789198b0fa04d53
SHA11a0574acc6063ac2b0675f6e1cf2bbe92a40534b
SHA256a29014cbdbed21034616ffcad9f202433076be11bc6fa7a31fdfbbbcbf1c2500
SHA512ef169894c893c6f96e9d438696cd017d41901c89f6b59e93f671153176d98d385ed0a2ca9744a9883e1013003e198f932199b9707a63beedc6d8c2eceab0b245
-
memory/540-56-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/912-59-0x0000000000000000-mapping.dmp