539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9

Analysis

max time kernel
131s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe
Size

6.3MB
MD5

2424db09e8f51bdad3eee4ed308862dc
SHA1

6d3829eb0677933728348d2840d265b54540f984
SHA256

539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9
SHA512

5d293add4614bb616db6ca146049c16869d755761aaf7d5474c110a1ab3973e503701338fdd73caa8415612feeac46e811247d9d3b7d56f50eb8db80ec84334a
SSDEEP

196608:7a1LKb4ldf+eQS82J/gtrVipeKqZMSXnvx:77YffRJ/krTZMSXnZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2008	539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe
2008	539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2008	539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe

C:\Users\Admin\AppData\Local\Temp\539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe
"C:\Users\Admin\AppData\Local\Temp\539c781a9e93f8e4303f6c1b1a5f785fa2749e0e085127d0082d0535d09693d9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoA797.tmp\DLLChangeRegKeyPath.dll

Filesize
28KB

MD5
0ce0c172c39b92e1ae256147effd7f89

SHA1
e5e00ec12249c650d043e1dd4d44802300007581

SHA256
9c8400bd7db4154381eabb54be705a0b890a4108ca3cef8457a8f035e441cfb0

SHA512
ffb14caa72436a702bd294f275fbd8359d0b5665313a77d6889d0ec6dba72afab869f7e5e004d9a78d25a7fb5889cc68f0aadfaf74b97016532acee80109de01

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA797.tmp\InstallOptions.dll

Filesize
12KB

MD5
07f3b3445f66e1089567796bf3c8be78

SHA1
851eb574c1067b23a654f8aa47b17ef599b24d1c

SHA256
a505e6c537a5ce0166227dda9f7671605395592ac9f1a3764e8a01b713939db1

SHA512
8c56308fff3a947b26fd0d98dbdd96c406ddf967f5d7abee8cba082b6c46a4e575094bb0bb981551ac5160bb5089cf6fb125dd17a659c427e28c07402adab1c3

Download Submit
memory/2008-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download