886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
Size

111KB
MD5

3666894a80d155083bbe8053ddb555e6
SHA1

3bd4f447b0c895485e637cf0337c2e8a8006e3e9
SHA256

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889
SHA512

9fc482ec862828ef469219b993de36c500e17e3afb71be2293700b0e68d94b28a24e7faacb6075063fedef258c0db97d95a7d94218b17042736ab02c3cba2f2f
SSDEEP

3072:GDQkrZoosbIfXJhE89JzazN854blzdGcJ2i:GDpoeU8r086GcJ2i

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1552 setup.exe

pid	process
1552	setup.exe

Loads dropped DLL 2 IoCs

Processes:

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

pid	process
1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

description	pid	process	target process
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 1516 wrote to memory of 1552	1516	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
"C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe"
2⤵
- Executes dropped EXE
PID:1552

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe
Filesize
70KB

MD5
7a017ce7bf021cb328469cb9ef62199b

SHA1
dbb586958027d20852e28ac311c0789307e17b45

SHA256
b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40

SHA512
8a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe
Filesize
70KB

MD5
7a017ce7bf021cb328469cb9ef62199b

SHA1
dbb586958027d20852e28ac311c0789307e17b45

SHA256
b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40

SHA512
8a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50

Download Submit
\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\D1958.dll
Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsd21E5.tmp\setup.exe
Filesize
70KB

MD5
7a017ce7bf021cb328469cb9ef62199b

SHA1
dbb586958027d20852e28ac311c0789307e17b45

SHA256
b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40

SHA512
8a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50

Download Submit
memory/1516-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1552-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads