1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe
Size

1.1MB
MD5

3cc330f516f152f60df465272c122526
SHA1

fd6c8b90f9bfe32542e64aedb72cef6aebffb57b
SHA256

1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619
SHA512

9beb4127f38a53d8c7d76870deaafcf55e7f10dff4ed0efd09db714fe401c3f275d7fb3f693225d615f0f9eed62e77d6a3b0f29eef97b18e539900322f121a3f
SSDEEP

24576:QPMG1KptHkqewTvThotKvFv450OqDxQKz8SUrFpRuvt5nt6++CW:8MG0ppkqewTvitm4iFxQy8Jq1o

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

incminfo_setup.exeincminfo_setup.tmpincminfo.exe

pid process

1944 incminfo_setup.exe
1772 incminfo_setup.tmp
980 incminfo.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe

pid	process
1944	incminfo_setup.exe
1772	incminfo_setup.tmp
980	incminfo.exe

pid	process
1728	cmd.exe

Loads dropped DLL 9 IoCs

Processes:

1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exeincminfo_setup.exeincminfo_setup.tmpincminfo.exe

pid	process
1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe
1944	incminfo_setup.exe
1944	incminfo_setup.exe
1944	incminfo_setup.exe
1772	incminfo_setup.tmp
1772	incminfo_setup.tmp
1772	incminfo_setup.tmp
980	incminfo.exe
980	incminfo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

incminfo_setup.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\incminfo = "C:\\Program Files\\NPKI\\incminfo\\uincminfo.exe"	incminfo_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	incminfo_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\incminfo = "C:\\Program Files\\NPKI\\incminfo\\uincminfo.exe"	incminfo_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	incminfo_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exeincminfo_setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\NPKI\incminfo_setup.exe	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe
File opened for modification	C:\Program Files\NPKI\incminfo\uincminfo.exe	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\is-ERTT4.tmp	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\is-T0QB1.tmp	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\is-5NFUR.tmp	incminfo_setup.tmp
File opened for modification	C:\Program Files\NPKI\incminfo\cincminfo.exe	incminfo_setup.tmp
File opened for modification	C:\Program Files\NPKI\incminfo\incminfo.exe	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\unins000.dat	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\is-69LUU.tmp	incminfo_setup.tmp
File created	C:\Program Files\NPKI\incminfo\is-30J2J.tmp	incminfo_setup.tmp
File opened for modification	C:\Program Files\NPKI\incminfo\unins000.dat	incminfo_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

incminfo_setup.tmp

pid process

1772 incminfo_setup.tmp
1772 incminfo_setup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

incminfo_setup.tmp

pid process

1772 incminfo_setup.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

incminfo.exe

pid process

980 incminfo.exe
980 incminfo.exe

pid	process
1772	incminfo_setup.tmp
1772	incminfo_setup.tmp

pid	process
1772	incminfo_setup.tmp

pid	process
980	incminfo.exe
980	incminfo.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exeincminfo_setup.exeincminfo_setup.tmp

description	pid	process	target process
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1944	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	incminfo_setup.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1112 wrote to memory of 1728	1112	1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe	cmd.exe
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1944 wrote to memory of 1772	1944	incminfo_setup.exe	incminfo_setup.tmp
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe
PID 1772 wrote to memory of 980	1772	incminfo_setup.tmp	incminfo.exe

C:\Users\Admin\AppData\Local\Temp\1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe
"C:\Users\Admin\AppData\Local\Temp\1540c5bb99e12d0ff89494e05cd3630cdb92553d0b812ebf1c9df35f62b7a619.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\NPKI\incminfo_setup.exe
"C:\Program Files (x86)\NPKI\incminfo_setup.exe" /VERYSILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\is-VF89M.tmp\incminfo_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VF89M.tmp\incminfo_setup.tmp" /SL5="$5011C,875218,54272,C:\Program Files (x86)\NPKI\incminfo_setup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\NPKI\incminfo\incminfo.exe
"C:\Program Files\NPKI\incminfo\incminfo.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
2⤵
- Deletes itself
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NPKI\incminfo_setup.exe
Filesize
1.1MB

MD5
f89a29b8ab826effe56ca6f619eacb99

SHA1
02510bba9986a651117dcde5e8cb20cd4a275206

SHA256
623993bab9263b44ea6f66e719d3947efc39ea6067703e9046899f7cbae04400

SHA512
d7c922f6c1f22f3096667ce1fbd6d256fdf26a40aec8deee770e31f69cec792a7303ec5cd1b71ab80e685a60794671160dbd3f075e743abcf9f7aa9b659af39a

Download Submit
C:\Program Files (x86)\NPKI\incminfo_setup.exe
Filesize
1.1MB

MD5
f89a29b8ab826effe56ca6f619eacb99

SHA1
02510bba9986a651117dcde5e8cb20cd4a275206

SHA256
623993bab9263b44ea6f66e719d3947efc39ea6067703e9046899f7cbae04400

SHA512
d7c922f6c1f22f3096667ce1fbd6d256fdf26a40aec8deee770e31f69cec792a7303ec5cd1b71ab80e685a60794671160dbd3f075e743abcf9f7aa9b659af39a

Download Submit
C:\Program Files\NPKI\incminfo\incminfo.exe
Filesize
833KB

MD5
5be8ff067344fc9ffe9f901ff2fa4eb7

SHA1
27288ce7c2e675218988b7b45adb5ee5f04b181d

SHA256
af3da0570ea31c1061775d5fd2d9a5d63a731032f4e1de95bc782d91f7e51b00

SHA512
536eb472f162351532e9a7682b2bd18c6f13d51e9a57130223815b2a7828e3349e8a8e426eece1c8056745cd42f15b30a8d5c2cc541d9f8688613c6c79bbba76

Download Submit
C:\Program Files\NPKI\incminfo\incminfo.exe
Filesize
833KB

MD5
5be8ff067344fc9ffe9f901ff2fa4eb7

SHA1
27288ce7c2e675218988b7b45adb5ee5f04b181d

SHA256
af3da0570ea31c1061775d5fd2d9a5d63a731032f4e1de95bc782d91f7e51b00

SHA512
536eb472f162351532e9a7682b2bd18c6f13d51e9a57130223815b2a7828e3349e8a8e426eece1c8056745cd42f15b30a8d5c2cc541d9f8688613c6c79bbba76

Download Submit
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd
Filesize
321B

MD5
a38e8e7fddab0b5b1bfd415d6e6e584f

SHA1
2977c5f66aae5593f5a497c3063563719d080133

SHA256
e40bcf6ba60e0dbc7cac5e60f42e98d4e1527bc6c4589920280bc8e546a8d2d7

SHA512
6984e99b2d1afe0092036420d46247793a14b7ce9d1ae1e48121a392bedd30adca97cf341a830ae483a5fa19d873f907c47c21e8507eaa3ca2116755a5e63d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF89M.tmp\incminfo_setup.tmp
Filesize
692KB

MD5
702f91cfd24b0babf09e67a539341b9d

SHA1
e20612a6850f5b8c4ded2ff0d96b10fabb5a6761

SHA256
1a39c23bfb54fbb9c37a66caeac768d644b104a9a9f524670d1b6000c3301ba2

SHA512
26278b4cca1b6b32b937716898fd62248c119fa8aac1d1016c15fcdc16920677298b4c199e4471ebc0de1346b83209b2ec70b412c9246d3a18d2bcaf11fd56f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF89M.tmp\incminfo_setup.tmp
Filesize
692KB

MD5
702f91cfd24b0babf09e67a539341b9d

SHA1
e20612a6850f5b8c4ded2ff0d96b10fabb5a6761

SHA256
1a39c23bfb54fbb9c37a66caeac768d644b104a9a9f524670d1b6000c3301ba2

SHA512
26278b4cca1b6b32b937716898fd62248c119fa8aac1d1016c15fcdc16920677298b4c199e4471ebc0de1346b83209b2ec70b412c9246d3a18d2bcaf11fd56f0

Download Submit
\Program Files (x86)\NPKI\incminfo_setup.exe
Filesize
1.1MB

MD5
f89a29b8ab826effe56ca6f619eacb99

SHA1
02510bba9986a651117dcde5e8cb20cd4a275206

SHA256
623993bab9263b44ea6f66e719d3947efc39ea6067703e9046899f7cbae04400

SHA512
d7c922f6c1f22f3096667ce1fbd6d256fdf26a40aec8deee770e31f69cec792a7303ec5cd1b71ab80e685a60794671160dbd3f075e743abcf9f7aa9b659af39a

Download Submit
\Program Files (x86)\NPKI\incminfo_setup.exe
Filesize
1.1MB

MD5
f89a29b8ab826effe56ca6f619eacb99

SHA1
02510bba9986a651117dcde5e8cb20cd4a275206

SHA256
623993bab9263b44ea6f66e719d3947efc39ea6067703e9046899f7cbae04400

SHA512
d7c922f6c1f22f3096667ce1fbd6d256fdf26a40aec8deee770e31f69cec792a7303ec5cd1b71ab80e685a60794671160dbd3f075e743abcf9f7aa9b659af39a

Download Submit
\Program Files (x86)\NPKI\incminfo_setup.exe
Filesize
1.1MB

MD5
f89a29b8ab826effe56ca6f619eacb99

SHA1
02510bba9986a651117dcde5e8cb20cd4a275206

SHA256
623993bab9263b44ea6f66e719d3947efc39ea6067703e9046899f7cbae04400

SHA512
d7c922f6c1f22f3096667ce1fbd6d256fdf26a40aec8deee770e31f69cec792a7303ec5cd1b71ab80e685a60794671160dbd3f075e743abcf9f7aa9b659af39a

Download Submit
\Program Files\NPKI\incminfo\incminfo.exe
Filesize
833KB

MD5
5be8ff067344fc9ffe9f901ff2fa4eb7

SHA1
27288ce7c2e675218988b7b45adb5ee5f04b181d

SHA256
af3da0570ea31c1061775d5fd2d9a5d63a731032f4e1de95bc782d91f7e51b00

SHA512
536eb472f162351532e9a7682b2bd18c6f13d51e9a57130223815b2a7828e3349e8a8e426eece1c8056745cd42f15b30a8d5c2cc541d9f8688613c6c79bbba76

Download Submit
\Program Files\NPKI\incminfo\incminfo.exe
Filesize
833KB

MD5
5be8ff067344fc9ffe9f901ff2fa4eb7

SHA1
27288ce7c2e675218988b7b45adb5ee5f04b181d

SHA256
af3da0570ea31c1061775d5fd2d9a5d63a731032f4e1de95bc782d91f7e51b00

SHA512
536eb472f162351532e9a7682b2bd18c6f13d51e9a57130223815b2a7828e3349e8a8e426eece1c8056745cd42f15b30a8d5c2cc541d9f8688613c6c79bbba76

Download Submit
\Program Files\NPKI\incminfo\incminfo.exe
Filesize
833KB

MD5
5be8ff067344fc9ffe9f901ff2fa4eb7

SHA1
27288ce7c2e675218988b7b45adb5ee5f04b181d

SHA256
af3da0570ea31c1061775d5fd2d9a5d63a731032f4e1de95bc782d91f7e51b00

SHA512
536eb472f162351532e9a7682b2bd18c6f13d51e9a57130223815b2a7828e3349e8a8e426eece1c8056745cd42f15b30a8d5c2cc541d9f8688613c6c79bbba76

Download Submit
\Users\Admin\AppData\Local\Temp\is-JSBMR.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JSBMR.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VF89M.tmp\incminfo_setup.tmp
Filesize
692KB

MD5
702f91cfd24b0babf09e67a539341b9d

SHA1
e20612a6850f5b8c4ded2ff0d96b10fabb5a6761

SHA256
1a39c23bfb54fbb9c37a66caeac768d644b104a9a9f524670d1b6000c3301ba2

SHA512
26278b4cca1b6b32b937716898fd62248c119fa8aac1d1016c15fcdc16920677298b4c199e4471ebc0de1346b83209b2ec70b412c9246d3a18d2bcaf11fd56f0

Download Submit
memory/980-76-0x0000000000000000-mapping.dmp

Download
memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1728-63-0x0000000000000000-mapping.dmp

Download
memory/1772-74-0x0000000074111000-0x0000000074113000-memory.dmp

Filesize
8KB

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1944-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1944-56-0x0000000000000000-mapping.dmp

Download
memory/1944-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1944-83-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download