ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3

Analysis

max time kernel
251s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe
Size

85KB
MD5

58f39903c64282ab32b47dee20f7762d
SHA1

9a11cc8388807e45699f1509062948cfe872117c
SHA256

ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3
SHA512

48c3f8c82a85eb570c372e0e7ef1bd8a4fccb0bb275761f251eb985a58d8d333fab8154dc1a43a022ec9a865b143b53443406898fb41969d269046a4a81b85cc
SSDEEP

1536:XCaIoX1oYOcbTMV88TXJLE7iwhKKS2gE2wGu3SzR1:XCaZ2Yrb0VTXJY7iZKUE2wGuiz

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2320	iWinGames.exe
4476	InstGameInfoHelper.exe

Loads dropped DLL 6 IoCs

pid	Process
3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe
3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe
3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe
2320	iWinGames.exe
2320	iWinGames.exe
2320	iWinGames.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022d9f-137.dat	nsis_installer_1
behavioral2/files/0x0006000000022d9f-137.dat	nsis_installer_2
behavioral2/files/0x0006000000022d9f-138.dat	nsis_installer_1
behavioral2/files/0x0006000000022d9f-138.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 2320	3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe	81
PID 3484 wrote to memory of 2320	3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe	81
PID 3484 wrote to memory of 2320	3484	ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe	81
PID 2320 wrote to memory of 4476	2320	iWinGames.exe	83
PID 2320 wrote to memory of 4476	2320	iWinGames.exe	83
PID 2320 wrote to memory of 4476	2320	iWinGames.exe	83

C:\Users\Admin\AppData\Local\Temp\ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe
"C:\Users\Admin\AppData\Local\Temp\ad897df737828a87e155614f001dcc1bd3ced8f1439cc5a8825a8482040644a3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\iWinGames.exe
  C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\iWinGames.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\ftdownload.dat

Filesize
512B

MD5
f964914b792f4a1a29012d2ce877c354

SHA1
bd0c87ae867ab7e234f32a530a1d913c683b0c29

SHA256
0b99bfd080cb5e363d589d1121d2a8b060becd5129909f4525c2b39620a71082

SHA512
ef95a58e96b8499b8168dd878c5e8b8fe9daa4809b06fff1b4ec423d10b32f6cf3e242ef174a3f6e2daafa310820940ab1958daf11c6c45aaeb7b4a07c798c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\iWinGames.exe

Filesize
4.4MB

MD5
9939c0274f24ae6d6e29dd5580fd88ac

SHA1
96c2a03086e3afd51430fa0f79026d7a961101ae

SHA256
991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471

SHA512
ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\iWinGames.exe

Filesize
4.4MB

MD5
9939c0274f24ae6d6e29dd5580fd88ac

SHA1
96c2a03086e3afd51430fa0f79026d7a961101ae

SHA256
991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471

SHA512
ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn2FC2.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\nsExec.dll

Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB657.tmp\nsExec.dll

Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
memory/3484-135-0x00000000022D1000-0x00000000022D4000-memory.dmp

Filesize
12KB

Download