fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc

Analysis

max time kernel
64s
max time network
108s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
Size

280KB
MD5

1a7c8bd548f6319aa669dab90bbeb658
SHA1

17a56dbb083a01b8bae5edc54d371232f531b53f
SHA256

fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc
SHA512

c11a5ef6e3b4c2555500a1135506139a19896180059efb8210c544cef623f512cebb8d0899bf7c39c03679e1f6d6b4ab0624647190a4b2826dbe7a57aeeb6c27
SSDEEP

6144:jsn3wPkENvH4UYpNeQUMKfDrHy8hR1yfey1rgx:83wRNfRWNH4/yeKfegrY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1888	UnRar.exe
868	setup.exe

Loads dropped DLL 7 IoCs

pid	Process
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
868	setup.exe
868	setup.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 468	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	27
PID 1296 wrote to memory of 468	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	27
PID 1296 wrote to memory of 468	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	27
PID 1296 wrote to memory of 468	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	27
PID 1296 wrote to memory of 1564	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	30
PID 1296 wrote to memory of 1564	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	30
PID 1296 wrote to memory of 1564	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	30
PID 1296 wrote to memory of 1564	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	30
PID 1296 wrote to memory of 1360	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	32
PID 1296 wrote to memory of 1360	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	32
PID 1296 wrote to memory of 1360	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	32
PID 1296 wrote to memory of 1360	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	32
PID 1296 wrote to memory of 1388	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	34
PID 1296 wrote to memory of 1388	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	34
PID 1296 wrote to memory of 1388	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	34
PID 1296 wrote to memory of 1388	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	34
PID 1296 wrote to memory of 1888	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	36
PID 1296 wrote to memory of 1888	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	36
PID 1296 wrote to memory of 1888	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	36
PID 1296 wrote to memory of 1888	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	36
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 1296 wrote to memory of 868	1296	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	38
PID 868 wrote to memory of 276	868	setup.exe	39
PID 868 wrote to memory of 276	868	setup.exe	39
PID 868 wrote to memory of 276	868	setup.exe	39
PID 868 wrote to memory of 276	868	setup.exe	39

C:\Users\Admin\AppData\Local\Temp\fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
"C:\Users\Admin\AppData\Local\Temp\fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:1360
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\UnRar.exe
  UnRar.exe e -hp2014/04/11-13:04:32 {RANDOM}.rar
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\setup.exe" /initurl http://sub.nuidal.info/init/fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc/:uid:? /affid "-" /id "0" /name " " /uniqid fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\setup.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\setup.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1806.tmp\{RANDOM}.rar

Filesize
85KB

MD5
af1e64a0082a3f3d49a121eaa672d157

SHA1
d5bc533bdce6480a07972963c1911c7ad2f60d89

SHA256
70b24594ff4319975749ae55396f849b19276e3a84946a98bf077645fc7faacc

SHA512
c1dca46fad03d96c5a8aa9eebca2ab2ed916a29fd67830b3b69dd4da4b1c7fe44c4216cc5d5ca8aa396941737f4644a78a3fe7df782602f0bbe851eea3b6a526

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1806.tmp\setup.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
memory/1296-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download