c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe
Size

238KB
MD5

728c3528bbbb104cf461a1088782104f
SHA1

90bc2e920cc68a95206675c5aa7c1caae12cf86f
SHA256

c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4
SHA512

d1861f831314c8a6489c85927435fa73850ed3f5c0e728d7570f00080192b2f580c17539998e73bb74ded8415ca05383cef08d2c96d75533030cd29d6a6360c8
SSDEEP

6144:4Tq+kJAVZsP273kh7rK2zloik8a/f2eq/qe8dB1ykTLls:AD7rerK6AfPq/qeoTLls

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	Au_.exe

Loads dropped DLL 7 IoCs

pid	Process
1100	c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe
2012	Au_.exe
2012	Au_.exe
2012	Au_.exe
2012	Au_.exe
2012	Au_.exe
2012	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000013402-55.dat	nsis_installer_1
behavioral1/files/0x0008000000013402-55.dat	nsis_installer_2
behavioral1/files/0x0008000000013402-57.dat	nsis_installer_1
behavioral1/files/0x0008000000013402-57.dat	nsis_installer_2
behavioral1/files/0x0008000000013402-59.dat	nsis_installer_1
behavioral1/files/0x0008000000013402-59.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2012	Au_.exe
2012	Au_.exe
2012	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2012	1100	c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe	28
PID 1100 wrote to memory of 2012	1100	c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe	28
PID 1100 wrote to memory of 2012	1100	c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe	28
PID 1100 wrote to memory of 2012	1100	c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe	28

C:\Users\Admin\AppData\Local\Temp\c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe
"C:\Users\Admin\AppData\Local\Temp\c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
238KB

MD5
728c3528bbbb104cf461a1088782104f

SHA1
90bc2e920cc68a95206675c5aa7c1caae12cf86f

SHA256
c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4

SHA512
d1861f831314c8a6489c85927435fa73850ed3f5c0e728d7570f00080192b2f580c17539998e73bb74ded8415ca05383cef08d2c96d75533030cd29d6a6360c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
238KB

MD5
728c3528bbbb104cf461a1088782104f

SHA1
90bc2e920cc68a95206675c5aa7c1caae12cf86f

SHA256
c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4

SHA512
d1861f831314c8a6489c85927435fa73850ed3f5c0e728d7570f00080192b2f580c17539998e73bb74ded8415ca05383cef08d2c96d75533030cd29d6a6360c8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\dui.dll

Filesize
92KB

MD5
2c6689e9e49625b7dd61ac49bcf94562

SHA1
3b067922b42b1b8ff483d38bd27905e3dc1772db

SHA256
93f612786957bdd95a858f7c294f2d68256b6d2271c69ee96235732348b859d4

SHA512
f6e873bb8cbff566360f1731e83dd5dea5f4477442f8eba963f9475f98fef187d09eb998cc62df7927fa1237bc381b3321ebe55ea4bcca271a2a17eba3e9ac8a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF78B.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
238KB

MD5
728c3528bbbb104cf461a1088782104f

SHA1
90bc2e920cc68a95206675c5aa7c1caae12cf86f

SHA256
c574259fe782302afa44dfe99a4d36aa7089a551348ed5a9cd0cef542d0939f4

SHA512
d1861f831314c8a6489c85927435fa73850ed3f5c0e728d7570f00080192b2f580c17539998e73bb74ded8415ca05383cef08d2c96d75533030cd29d6a6360c8

Download Submit
memory/1100-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2012-66-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download