ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c

General

Target

ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe
Size

641KB
MD5

4deefd4ee217709fadeb441d951bf25f
SHA1

1032ce315e9f2a3cd1081854c1b97328f555c82d
SHA256

ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c
SHA512

823b2e071525599b794297b42f9d2b49519b8d7e7d585f6b357788f7ab97d46209145419d044122f6e49d6858ba743d23256d9d15c3eb5cf87b4d6137d4c603e
SSDEEP

12288:bSxGHY888888888888W88888888888k7o7jaHaic2FXx4Wm6ljl395M3NsamntD1:uxGD7qjoahkHmQ95cKtg+DWfrNJdNnpz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3040	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp
2140	ui.exe

Loads dropped DLL 3 IoCs

pid	Process
2140	ui.exe
2140	ui.exe
2140	ui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e17-138.dat	nsis_installer_1
behavioral2/files/0x0006000000022e17-138.dat	nsis_installer_2
behavioral2/files/0x0006000000022e17-139.dat	nsis_installer_1
behavioral2/files/0x0006000000022e17-139.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3040	3600	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe	79
PID 3600 wrote to memory of 3040	3600	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe	79
PID 3600 wrote to memory of 3040	3600	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe	79
PID 3040 wrote to memory of 2140	3040	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp	80
PID 3040 wrote to memory of 2140	3040	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp	80
PID 3040 wrote to memory of 2140	3040	ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp	80

C:\Users\Admin\AppData\Local\Temp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe
"C:\Users\Admin\AppData\Local\Temp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\is-S1E10.tmp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S1E10.tmp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp" /SL5="$8005A,263076,119296,C:\Users\Admin\AppData\Local\Temp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\is-UEOE4.tmp\ui.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UEOE4.tmp\ui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-S1E10.tmp\ad766403fef9347e0e862a6ebf1bb2f88f06ea991207d1fa87de1db1544ee39c.tmp

Filesize
1.1MB

MD5
129b8e200a6e90e813080c9ce0474063

SHA1
b5352cdae50e5ddf3eb62f75f2e77042386b8841

SHA256
cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839

SHA512
10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEOE4.tmp\ui.exe

Filesize
101KB

MD5
6094c8be383f1a5578dd89ce34eba2fb

SHA1
101e7b8e3464d929e022cff29a807c10064c5e4f

SHA256
1c2ed751b1497c36b906c34beb283891a5c34d4205a7a2d05ad3458a85ce2935

SHA512
370a7f0883d944699c3c4159dd0a9ed1b3b8b8eb3b669ef1fbe2707c5592ce7839640834f6db7128f27031ce3f02efa382ee30917f682ecfea2abea0fa18c79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEOE4.tmp\ui.exe

Filesize
101KB

MD5
6094c8be383f1a5578dd89ce34eba2fb

SHA1
101e7b8e3464d929e022cff29a807c10064c5e4f

SHA256
1c2ed751b1497c36b906c34beb283891a5c34d4205a7a2d05ad3458a85ce2935

SHA512
370a7f0883d944699c3c4159dd0a9ed1b3b8b8eb3b669ef1fbe2707c5592ce7839640834f6db7128f27031ce3f02efa382ee30917f682ecfea2abea0fa18c79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqC9ED.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqC9ED.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqC9ED.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/2140-143-0x0000000004911000-0x0000000004913000-memory.dmp

Filesize
8KB

Download
memory/3600-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3600-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3600-144-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing