5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba

Analysis

max time kernel
329s
max time network
350s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe
Size

546KB
MD5

c26999a12eefe410d10a30136ae287ac
SHA1

3ab3f38c094ddc7cec57656aa3b6be987c0d84ef
SHA256

5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba
SHA512

a71a2724b6ec7e35ab112dc934bad856f0cceb53e3c9108f1e680fc6694e85b3eb467d3936d7842a4ed8e9a26e919ed19ca66984c14d219d14c4291a080b4d34
SSDEEP

12288:Uuog1lmM9M9jYiF6vyJ8Ho8XYtYvPlWLay2EWDKd:Ujg1lmXj7GmL8otYnlWaEWDKd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4644	Launcher.exe

Loads dropped DLL 3 IoCs

pid	Process
4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe
4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe
4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4644	4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe	82
PID 4128 wrote to memory of 4644	4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe	82
PID 4128 wrote to memory of 4644	4128	5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe	82

C:\Users\Admin\AppData\Local\Temp\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe
"C:\Users\Admin\AppData\Local\Temp\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\DM\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe\pRuvEJiefTWQVij\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe\pRuvEJiefTWQVij\Launcher.exe /in="e5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe" /out="5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe" /psw="56232136fe684b8297758de982ed280c" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe\pRuvEJiefTWQVij\Launcher.exe

Filesize
104KB

MD5
1c8e9f8911b5d0f692ae7accf45c6985

SHA1
737e35b716acfcb267ca0b8b7852c03d21109123

SHA256
44bfe6cfeca0d78e7c6b09c53259f6a177d8722dd5a3c4ebc4398cc23848f37f

SHA512
e83bc21a847b4806de30a7a8a8c6872ee21e574ec4d8cd3d50098a9d3421183df239cb0e4695c460595dbf610a1f8066e87ffb5f1c307bc8645fefc9c5b758c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\5d067f33632173c9f98c150269c3e28a5af55234b7f8434861035d33b386d0ba.exe\pRuvEJiefTWQVij\Launcher.exe

Filesize
104KB

MD5
1c8e9f8911b5d0f692ae7accf45c6985

SHA1
737e35b716acfcb267ca0b8b7852c03d21109123

SHA256
44bfe6cfeca0d78e7c6b09c53259f6a177d8722dd5a3c4ebc4398cc23848f37f

SHA512
e83bc21a847b4806de30a7a8a8c6872ee21e574ec4d8cd3d50098a9d3421183df239cb0e4695c460595dbf610a1f8066e87ffb5f1c307bc8645fefc9c5b758c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA192.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA192.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA192.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit