Analysis
-
max time kernel
124s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
Resource
win10v2004-20221111-en
General
-
Target
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
-
Size
2.0MB
-
MD5
6a75ea0dbf49a4dadf2382e1a9762551
-
SHA1
9ea6dc46a0a53fffd2ef04238ba9d89335f9e83d
-
SHA256
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2
-
SHA512
45c240ef654a9df0c1b7d286adb9d2a4f1aa84422c87db30a700fb10d45708cfea39f2117d66c56b577019e308cc3a2b5fbb05ddc1c1bbd8c538e967898a2687
-
SSDEEP
49152:OFjJQz8SII9SgBq5FHgRtrGu+7weKTUFFosE4:QjJQbugBq7Azrg8HUFFe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NCU.exepid process 1164 NCU.exe -
Loads dropped DLL 2 IoCs
Processes:
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exeNCU.exepid process 1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe 1164 NCU.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NCU.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NCU Start = "C:\\ProgramData\\PAJGTP\\NCU.exe" NCU.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run NCU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
NCU.exepid process 1164 NCU.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NCU.exepid process 1164 NCU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
NCU.exepid process 1164 NCU.exe 1164 NCU.exe 1164 NCU.exe 1164 NCU.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exedescription pid process target process PID 1324 wrote to memory of 1164 1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe NCU.exe PID 1324 wrote to memory of 1164 1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe NCU.exe PID 1324 wrote to memory of 1164 1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe NCU.exe PID 1324 wrote to memory of 1164 1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe NCU.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe"C:\Users\Admin\AppData\Local\Temp\984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\PAJGTP\NCU.exe"C:\ProgramData\PAJGTP\NCU.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PAJGTP\NCU.00Filesize
2KB
MD53b37194e903e3fe224ce5a5dc0f72af9
SHA10129cc88149659e2668df0ccdc28f1e43b99fadd
SHA2560f9ff4e5d261efb5fee2763efb421a7ec127efb534d2b1014074b5abe67dcf3b
SHA51222c1344917d8e634662a33fbfdc3b46907ab00991d72abfa2ecae577d883ad72445448caecf2c5e1daf64f78981b9e47359d521c3d7ab087891b075ec1a0ea8e
-
C:\ProgramData\PAJGTP\NCU.01Filesize
79KB
MD501e52cc38f3fe324a9e26ddb36dc89e5
SHA19fc3b353b776000a8b2716a39c43da886da58ab0
SHA256aa9c651f1e5cc3f89b9279361702487765895df0620775d3243c66b2ce3692ad
SHA512967f38d399c52792df6c36555402fcb95527b7f502476aedee9179c22fcc5a542dbc316ece4e278bacfa4d8ba6651b83467474b1f4491b83d2148951dea204b8
-
C:\ProgramData\PAJGTP\NCU.exeFilesize
2.3MB
MD59dd994d5ee6dd09ab083d20d6c887db9
SHA1d1d3df6b05ae948264adebf42e5d970f767f5761
SHA256f196900c719e5b7a03705f53c2c996a8e768c690e7b4959e2e4fdf41b973c20d
SHA5129284058162043d36f09b3e887a1ad36c4b364fb252575173c9ccf242179501f1f3c5919ad3e03d14097c96aa4d56566039f154ea3d933e37ff559c64975658f6
-
\ProgramData\PAJGTP\NCU.01Filesize
79KB
MD501e52cc38f3fe324a9e26ddb36dc89e5
SHA19fc3b353b776000a8b2716a39c43da886da58ab0
SHA256aa9c651f1e5cc3f89b9279361702487765895df0620775d3243c66b2ce3692ad
SHA512967f38d399c52792df6c36555402fcb95527b7f502476aedee9179c22fcc5a542dbc316ece4e278bacfa4d8ba6651b83467474b1f4491b83d2148951dea204b8
-
\ProgramData\PAJGTP\NCU.exeFilesize
2.3MB
MD59dd994d5ee6dd09ab083d20d6c887db9
SHA1d1d3df6b05ae948264adebf42e5d970f767f5761
SHA256f196900c719e5b7a03705f53c2c996a8e768c690e7b4959e2e4fdf41b973c20d
SHA5129284058162043d36f09b3e887a1ad36c4b364fb252575173c9ccf242179501f1f3c5919ad3e03d14097c96aa4d56566039f154ea3d933e37ff559c64975658f6
-
memory/1164-56-0x0000000000000000-mapping.dmp
-
memory/1164-63-0x0000000002480000-0x0000000002499000-memory.dmpFilesize
100KB
-
memory/1164-64-0x0000000002480000-0x0000000002499000-memory.dmpFilesize
100KB
-
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1324-59-0x00000000011A0000-0x000000000139A000-memory.dmpFilesize
2.0MB