e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a

Analysis

max time kernel
28s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe
Size

4.5MB
MD5

a1624aa45c2444aae0fec24c845addb9
SHA1

a1b38104cb1772a65de4ac59234f5d7dec11c9f6
SHA256

e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a
SHA512

7fb7817a44c96879e7e9b32b62ba93328fc154797dde6759c32631483253917cd86c78f7232ca6460805bc3d43e8d5e0f901cd8d5422116d6f73cb2002d02be5
SSDEEP

98304:VX9cYTk5CzuqSsWXLg7t+VUW/r8iIly9zTI41KUOXbzS/BFQK3UvQ:h9dTkgzuCoL5VMi2Izk41KtvtQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1120	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe
1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe
1120	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000012741-56.dat	nsis_installer_1
behavioral1/files/0x0007000000012741-56.dat	nsis_installer_2
behavioral1/files/0x0007000000012741-58.dat	nsis_installer_1
behavioral1/files/0x0007000000012741-58.dat	nsis_installer_2
behavioral1/files/0x0007000000012741-60.dat	nsis_installer_1
behavioral1/files/0x0007000000012741-60.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28
PID 1452 wrote to memory of 1120	1452	e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe	28

C:\Users\Admin\AppData\Local\Temp\e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe
"C:\Users\Admin\AppData\Local\Temp\e6291fdf2c06637fdf2c6932c9a411aa051eebf34bb3475264052872c1d0b79a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\nsd7735.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd7735.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd7735.tmp\setup.exe

Filesize
4.4MB

MD5
4e174c473bf477b8d3eaed69769ec25a

SHA1
4c0812011bc148ca01f0b38d1e261e586fe60465

SHA256
87f9537dcdd6b497501dff5fced240757e7ac13e218e48f1b965e03a6096cc02

SHA512
dcce1e0262b0308ee0daf8d28da00501a75f0a28386c3ecba18b39e1212dd48e3523b622b82555b56e391aef8428ec9cc1a842e0d048e5e58a5f4e0a8d23cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7735.tmp\setup.exe

Filesize
4.4MB

MD5
4e174c473bf477b8d3eaed69769ec25a

SHA1
4c0812011bc148ca01f0b38d1e261e586fe60465

SHA256
87f9537dcdd6b497501dff5fced240757e7ac13e218e48f1b965e03a6096cc02

SHA512
dcce1e0262b0308ee0daf8d28da00501a75f0a28386c3ecba18b39e1212dd48e3523b622b82555b56e391aef8428ec9cc1a842e0d048e5e58a5f4e0a8d23cce7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7735.tmp\D1958.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7735.tmp\setup.exe

Filesize
4.4MB

MD5
4e174c473bf477b8d3eaed69769ec25a

SHA1
4c0812011bc148ca01f0b38d1e261e586fe60465

SHA256
87f9537dcdd6b497501dff5fced240757e7ac13e218e48f1b965e03a6096cc02

SHA512
dcce1e0262b0308ee0daf8d28da00501a75f0a28386c3ecba18b39e1212dd48e3523b622b82555b56e391aef8428ec9cc1a842e0d048e5e58a5f4e0a8d23cce7

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD443.tmp\AccDownload.dll

Filesize
304KB

MD5
8683e0490479293e0dd1faf2cf2e88d7

SHA1
e13074fafa0fa0dd11901dc7dade927b400c9ff4

SHA256
473ba72b9b6c205b898ad9881e71ef96f45297a4e3b4eed91210de43fee996bc

SHA512
263f22f83058c5368d151c03e86febcd087cb4f991925f9728c6b4d87215a682a52bc7f160336125808bcbe535e70987f0bd3f6a9307603a2eeadb90afcc60f4

Download Submit
memory/1452-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download