915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad

General

Target

915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe
Size

428KB
MD5

f947e9a607b0a36a3f42aa61b9d5fb61
SHA1

d440de86f7b9c1881a5b366bf4c5a8a4f9ce8a5a
SHA256

915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad
SHA512

09f14c006f51ac292b70a5e0f1e408626fcb012f992e755c3585a0daddadae09d6755515ccbaba752337563ddad7c61d22e7ff59a87d90a4c7998e9e80f78c61
SSDEEP

12288:6tobNiwYc/axjYt6YEWxk+ac22jN8+9WZyT:6t2hDCxsrxtR2Qr9WET

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2000	installer.exe
468	north.exe

Loads dropped DLL 3 IoCs

pid	Process
1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe
1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe
1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	north.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	north.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
468	north.exe
468	north.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2000	1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe	28
PID 1060 wrote to memory of 2000	1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe	28
PID 1060 wrote to memory of 2000	1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe	28
PID 1060 wrote to memory of 2000	1060	915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe	28
PID 2000 wrote to memory of 468	2000	installer.exe	30
PID 2000 wrote to memory of 468	2000	installer.exe	30
PID 2000 wrote to memory of 468	2000	installer.exe	30
PID 2000 wrote to memory of 468	2000	installer.exe	30

C:\Users\Admin\AppData\Local\Temp\915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe
"C:\Users\Admin\AppData\Local\Temp\915525db4c2f0ff7712cf2647c70d748a314c796ec0ad63630eda10b35c00dad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe north.exe /dT132592205S /e10240486 /u50ae11c5-fa08-4f10-be2a-04b05bc06f2f
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\north.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\north.exe" /dT132592205S /e10240486 /u50ae11c5-fa08-4f10-be2a-04b05bc06f2f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe

Filesize
175KB

MD5
c56f474df7c7234370c88cef5e334752

SHA1
ff7e59e76a0bbdef4243232786c0d86e9fbb22dd

SHA256
2e2e482bbf7a109f2d7cc37a9657715ef133900c4af3b6e90da2842ad12d869d

SHA512
79a56ef595b37009382e83fdb512ee9f57e13384060238d809f7d9564f85a2a3d5fd05d75a8de6c3851fe7ba80b7bd5936af4a345bc278cd42fa959f4ed52d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe

Filesize
175KB

MD5
c56f474df7c7234370c88cef5e334752

SHA1
ff7e59e76a0bbdef4243232786c0d86e9fbb22dd

SHA256
2e2e482bbf7a109f2d7cc37a9657715ef133900c4af3b6e90da2842ad12d869d

SHA512
79a56ef595b37009382e83fdb512ee9f57e13384060238d809f7d9564f85a2a3d5fd05d75a8de6c3851fe7ba80b7bd5936af4a345bc278cd42fa959f4ed52d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\north.exe

Filesize
253KB

MD5
990774201cab9f23e9b2a4dbfd7b322d

SHA1
a77b83a8a3b9efcc38e8b3d1c42e681c1450470c

SHA256
68da632d702639815cc5875aefd103304c528df93bd8e197e7d6335787d131ae

SHA512
1d15af0b2a44b23319ffe35164b285868a32cd7b2e5810bf97902d5f91891eaf6f8f6e182d0ca9e6090a670f768567a3f667a95451d93e9881734f0c8b2ebde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\north.exe

Filesize
253KB

MD5
990774201cab9f23e9b2a4dbfd7b322d

SHA1
a77b83a8a3b9efcc38e8b3d1c42e681c1450470c

SHA256
68da632d702639815cc5875aefd103304c528df93bd8e197e7d6335787d131ae

SHA512
1d15af0b2a44b23319ffe35164b285868a32cd7b2e5810bf97902d5f91891eaf6f8f6e182d0ca9e6090a670f768567a3f667a95451d93e9881734f0c8b2ebde5

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe

Filesize
175KB

MD5
c56f474df7c7234370c88cef5e334752

SHA1
ff7e59e76a0bbdef4243232786c0d86e9fbb22dd

SHA256
2e2e482bbf7a109f2d7cc37a9657715ef133900c4af3b6e90da2842ad12d869d

SHA512
79a56ef595b37009382e83fdb512ee9f57e13384060238d809f7d9564f85a2a3d5fd05d75a8de6c3851fe7ba80b7bd5936af4a345bc278cd42fa959f4ed52d6f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\installer.exe

Filesize
175KB

MD5
c56f474df7c7234370c88cef5e334752

SHA1
ff7e59e76a0bbdef4243232786c0d86e9fbb22dd

SHA256
2e2e482bbf7a109f2d7cc37a9657715ef133900c4af3b6e90da2842ad12d869d

SHA512
79a56ef595b37009382e83fdb512ee9f57e13384060238d809f7d9564f85a2a3d5fd05d75a8de6c3851fe7ba80b7bd5936af4a345bc278cd42fa959f4ed52d6f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyBF4C.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/468-73-0x00000000008C9000-0x00000000008DA000-memory.dmp

Filesize
68KB

Download
memory/468-72-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/468-71-0x00000000008C9000-0x00000000008DA000-memory.dmp

Filesize
68KB

Download
memory/468-64-0x0000000000000000-mapping.dmp

Download
memory/468-70-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/468-68-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1060-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/2000-58-0x0000000000000000-mapping.dmp

Download
memory/2000-69-0x0000000000A06000-0x0000000000A25000-memory.dmp

Filesize
124KB

Download
memory/2000-63-0x0000000000A06000-0x0000000000A25000-memory.dmp

Filesize
124KB

Download
memory/2000-62-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x000007FEF47D0000-0x000007FEF51F3000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing