Analysis
-
max time kernel
171s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 17:13
Static task
static1
Behavioral task
behavioral1
Sample
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
Resource
win10v2004-20220812-en
General
-
Target
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
-
Size
111KB
-
MD5
3666894a80d155083bbe8053ddb555e6
-
SHA1
3bd4f447b0c895485e637cf0337c2e8a8006e3e9
-
SHA256
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889
-
SHA512
9fc482ec862828ef469219b993de36c500e17e3afb71be2293700b0e68d94b28a24e7faacb6075063fedef258c0db97d95a7d94218b17042736ab02c3cba2f2f
-
SSDEEP
3072:GDQkrZoosbIfXJhE89JzazN854blzdGcJ2i:GDpoeU8r086GcJ2i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 1560 setup.exe -
Loads dropped DLL 1 IoCs
Processes:
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exepid process 3444 886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exedescription pid process target process PID 3444 wrote to memory of 1560 3444 886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe setup.exe PID 3444 wrote to memory of 1560 3444 886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe setup.exe PID 3444 wrote to memory of 1560 3444 886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe"C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe"2⤵
- Executes dropped EXE
PID:1560
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5904beebec2790ee2ca0c90fc448ac7e0
SHA140fabf1eb0a3b7168351c4514c5288216cb1566d
SHA256f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222
SHA5128bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa
-
Filesize
70KB
MD57a017ce7bf021cb328469cb9ef62199b
SHA1dbb586958027d20852e28ac311c0789307e17b45
SHA256b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40
SHA5128a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50
-
Filesize
70KB
MD57a017ce7bf021cb328469cb9ef62199b
SHA1dbb586958027d20852e28ac311c0789307e17b45
SHA256b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40
SHA5128a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50