ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 00:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
Size

10.7MB
MD5

05dc5b665582d6f8411f39e6b74a8703
SHA1

a6588f8e37c9ddeb0374ab0e431e098350e7ee67
SHA256

ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb
SHA512

aaaeee7fef0242fd63a343e3895e9a692b784e9d7d2a85c388aa7c4503d5395e3cda3a0ce2b0ba4c9e3950d5446eeb6daf256b32d6831b9309ee898faf3ed1c0
SSDEEP

196608:HDABj/fVV1JyxupNLOt2EU1K6UNP85R0RlTGVgwaxj0qFU1G2Pfm:A/fhYoHuMarTGVgTFIG2Pf

Score

9^/10

evasion upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012768-70.dat	acprotect
behavioral1/files/0x0007000000012768-71.dat	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 1 IoCs

pid	Process
2028	Hvatmtuqnvmae.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012768-70.dat	upx
behavioral1/files/0x0007000000012768-71.dat	upx

Loads dropped DLL 22 IoCs

pid	Process
1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	2028	WerFault.exe	27

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001231c-58.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-60.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-62.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-78.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-79.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-80.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-81.dat	nsis_installer_2
behavioral1/files/0x000800000001231c-83.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	Hvatmtuqnvmae.exe
2028	Hvatmtuqnvmae.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2028	1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe	27
PID 1292 wrote to memory of 2028	1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe	27
PID 1292 wrote to memory of 2028	1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe	27
PID 1292 wrote to memory of 2028	1292	ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe	27
PID 2028 wrote to memory of 1540	2028	Hvatmtuqnvmae.exe	29
PID 2028 wrote to memory of 1540	2028	Hvatmtuqnvmae.exe	29
PID 2028 wrote to memory of 1540	2028	Hvatmtuqnvmae.exe	29
PID 2028 wrote to memory of 1540	2028	Hvatmtuqnvmae.exe	29

C:\Users\Admin\AppData\Local\Temp\ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe
"C:\Users\Admin\AppData\Local\Temp\ad91cfe18d11b51abeb4ee1c9e15729413feff0873ea46918770daee6c717abb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 568
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\Hvatmtuqnvmae.exe

Filesize
10.6MB

MD5
feea5f7c4bd5f5d6e087986077ca7ba1

SHA1
94b959712fdda532951be12221d200f023cbec95

SHA256
96b5da19e1754e42f3843a17fa173c099708e4f9133a80e0ff3bdceabdd392eb

SHA512
d4968abcda2f17a5c75102bbd0980a7bbcf2a0370b524ca4b983362488bbaef479cd7df1f322e4dd01d5e67b0b287ce4eca6f2c21c8181cec97ff9f92a668064

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj211B.tmp\WrapperUtils.dll

Filesize
57KB

MD5
f77ad4917714b7c4166e22bc882126ee

SHA1
62acbb9a600a64dea5089105e214c9505b4b7e6b

SHA256
63726797254c040bf626d3d67c27fcdf11dd3e579f4d61ddb93aaaca8805d8c3

SHA512
bff7a1493ca863bce720958f9ead6233687f76dc75f2dedf506765f21be7db2e51abca649512bb8ec9f38f7b3a55888152764b7262ab65c7de61b6d2175ea5a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils.dll

Filesize
835KB

MD5
878f680bfd82006487cdac671103b07d

SHA1
8a4936c3915c338eed4b5d7e0fd38dfec534a189

SHA256
136f39a8feb2376ad9a9ed41e9317d62831d41f1453b380c97173995bc217e99

SHA512
8490bc2fc9bda1d2b98b31e49badfc8a85085512ce4c43df58a6b635922a147a4f048c63ae40272d46aad44e8d9607e7eb2c0be8b7ae7cb1888ed60f7c283288

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\InstallerUtils2.dll

Filesize
107KB

MD5
542bf24b77c17fb3adf74448c727b426

SHA1
14c369ae521f9e4d086a2230b695603bf9472d39

SHA256
3c036e135ea0c3c69853ee92251546e66a9a744a34420dc51e028c5e0a243634

SHA512
ab08a77a0e1851f0efe4b2803157ed13d34fd5744946db6280d8b2dacd30e43e8c51d03bb00021c9be9e1df25e5b9bb096ffd6f76cad457a34533ef4ac8e78fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5D21.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/2028-75-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2028-76-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2028-84-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2028-85-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download