a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96

Analysis

max time kernel
290s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
Size

1.8MB
MD5

51f26c0051e97a91145971fe5bc632ff
SHA1

770db9ad471ffd4357358bc16ff0bb6c98d71e5d
SHA256

a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96
SHA512

226f95fa022d5ef7b7d9ff560e44d5768d4d934a90a5d28e14c331778cef7e06ac25a368c6dab9bb87be9869dfe9c5ae11fa01c15cbd4b03f8511047ab363c73
SSDEEP

49152:4TJvTlo5teGg9M9sS2wtG9zxuF/Vdl0g9uU+:4TJvTlouGg9QsAtG90/VdA1

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 16 IoCs

Processes:

a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

pid	process
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_FlashUtil.exe	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

pid	process
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
3464	a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe

C:\Users\Admin\AppData\Local\Temp\a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
"C:\Users\Admin\AppData\Local\Temp\a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3725.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/3464-138-0x00000000031B1000-0x00000000031B3000-memory.dmp

Filesize
8KB

Download