a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19

Analysis

max time kernel
175s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe
Size

4.5MB
MD5

d47a03703d67cae116ce866f299adf63
SHA1

a4f071d4903758640c17754a52a911bcdbeef355
SHA256

a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19
SHA512

09a1d2f575762ffaff8ccbbda113067b3861fa3da2702616a12c69fae2ec5488243ea761a51eb23055b99e750530397158e4fe33263a5dbbdea99fcf60fbfb7c
SSDEEP

98304:aMfZVYlgTyelug7XNc1MbkvskTBmpZvPa7murwxD0ed:aMBVRGel7S1M4TBOXa7mbxD0ed

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4396	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe
4396	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e68-134.dat	nsis_installer_1
behavioral2/files/0x0006000000022e68-134.dat	nsis_installer_2
behavioral2/files/0x0006000000022e68-135.dat	nsis_installer_1
behavioral2/files/0x0006000000022e68-135.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4396	1352	a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe	79
PID 1352 wrote to memory of 4396	1352	a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe	79
PID 1352 wrote to memory of 4396	1352	a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe	79

C:\Users\Admin\AppData\Local\Temp\a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe
"C:\Users\Admin\AppData\Local\Temp\a1e3fb7eaf0fee723a4facbeca03800920bbeb259a8bc9e2c721c19c54545d19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\nsdF25.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdF25.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdF25.tmp\D1958.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF25.tmp\setup.exe

Filesize
4.4MB

MD5
d60b2b4b8d41381af5985c3ff75882f3

SHA1
073299fdbfa92d971efbcf0a841ef94546304e74

SHA256
3ab2804e8f1a415167717837ee9e3289367a98bcf99956de667ec719e556c9d2

SHA512
2da9ec5a332306a88239e7ca2af24fa4875d1a9e2cf807183c7cd08e624977f3d2ebe563b9513e3a297f210f7ef0c04ce79dfd598ff7c7f7616ac21fcf2d6d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF25.tmp\setup.exe

Filesize
4.4MB

MD5
d60b2b4b8d41381af5985c3ff75882f3

SHA1
073299fdbfa92d971efbcf0a841ef94546304e74

SHA256
3ab2804e8f1a415167717837ee9e3289367a98bcf99956de667ec719e556c9d2

SHA512
2da9ec5a332306a88239e7ca2af24fa4875d1a9e2cf807183c7cd08e624977f3d2ebe563b9513e3a297f210f7ef0c04ce79dfd598ff7c7f7616ac21fcf2d6d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss1BE6.tmp\AccDownload.dll

Filesize
307KB

MD5
6f7d9e111a17fab195efe0bbd3a0442d

SHA1
edd85ca305b1d7944ac78bc6f32160f1e981d2d7

SHA256
4f52e34fcae2f080a6f99ebf447f210d607cb51c8461ecd631dee43386f3187d

SHA512
78f6e1cef00d3ed3457eb92c013fb3bac2ccc8531e26e763e2fc9776e662d5db1a8abf89b9d41b64dd89548577fa306e5b4423b647e213271912a61ce746daa3

Download Submit