886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889

Analysis

max time kernel
171s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 17:13

Target

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
Size

111KB
MD5

3666894a80d155083bbe8053ddb555e6
SHA1

3bd4f447b0c895485e637cf0337c2e8a8006e3e9
SHA256

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889
SHA512

9fc482ec862828ef469219b993de36c500e17e3afb71be2293700b0e68d94b28a24e7faacb6075063fedef258c0db97d95a7d94218b17042736ab02c3cba2f2f
SSDEEP

3072:GDQkrZoosbIfXJhE89JzazN854blzdGcJ2i:GDpoeU8r086GcJ2i

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1560 setup.exe
Loads dropped DLL 1 IoCs

Processes:

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

pid process

3444 886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1560	setup.exe

pid	process
3444	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe

description	pid	process	target process
PID 3444 wrote to memory of 1560	3444	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 3444 wrote to memory of 1560	3444	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe
PID 3444 wrote to memory of 1560	3444	886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe
"C:\Users\Admin\AppData\Local\Temp\886714e96568ec5aebc7e30018e342fa3fa2360b9e01098cedccb3c61f99a889.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1560

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\D1958.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe

Filesize
70KB

MD5
7a017ce7bf021cb328469cb9ef62199b

SHA1
dbb586958027d20852e28ac311c0789307e17b45

SHA256
b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40

SHA512
8a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA2A.tmp\setup.exe

Filesize
70KB

MD5
7a017ce7bf021cb328469cb9ef62199b

SHA1
dbb586958027d20852e28ac311c0789307e17b45

SHA256
b9918cd12f1438ecc3ca3e7e4d4f8e323a4988c3295c5f0c67a62a10478a8f40

SHA512
8a88b453791aa5ea418de5aefd89b3c4c6880053ee6e187028c641f12fbf3fae58a12dc0eaaf1afba6df07e6f49f8d650fa02598899859d3a2206bdb6b787c50

Download Submit
memory/1560-133-0x0000000000000000-mapping.dmp

Download