Analysis
-
max time kernel
106s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 21:30
Behavioral task
behavioral1
Sample
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Resource
win10v2004-20220812-en
General
-
Target
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
-
Size
1.1MB
-
MD5
df9429e6d8cba999535e34a945b847ef
-
SHA1
262d84caf14b46c76f91aa6c1ed1b3b5013a7d25
-
SHA256
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8
-
SHA512
a9484bda3fbed8ff84a95be1f25f17b79d57ffe434b3f1e4594d75bdcfdeaa8bc8a0f705175be431357201fa9c1a738fb55a76befe771577c53fc211487699c6
-
SSDEEP
24576:XOIFnM1rGoN1PSWr47HfgXt6b3sCj8nROEbapxS/TRL4cYUuY:+IUlGWrI/g96rskARokNYM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 668 explorer.exe 1652 taskmgr.exe -
resource yara_rule behavioral1/memory/1744-55-0x0000000000400000-0x00000000005E2000-memory.dmp upx behavioral1/files/0x000800000001230e-56.dat upx behavioral1/files/0x000800000001230e-57.dat upx behavioral1/files/0x000800000001230e-59.dat upx behavioral1/memory/1744-61-0x0000000000400000-0x00000000005E2000-memory.dmp upx behavioral1/files/0x000800000001230e-62.dat upx behavioral1/files/0x00090000000122fa-63.dat upx behavioral1/files/0x00090000000122fa-64.dat upx behavioral1/files/0x00090000000122fa-66.dat upx behavioral1/memory/1652-70-0x0000000000400000-0x0000000000525000-memory.dmp upx behavioral1/memory/668-71-0x0000000000400000-0x0000000000525000-memory.dmp upx behavioral1/memory/1652-74-0x0000000000400000-0x0000000000525000-memory.dmp upx behavioral1/memory/668-75-0x0000000000400000-0x0000000000525000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 668 explorer.exe 668 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvCpu = "C:\\Windows\\NvCpu.exe" 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe File created C:\Windows\NvCpu.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe File created C:\Windows\4080\Info\explorer.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe File created C:\Windows\4080\taskmgr.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 668 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1744 wrote to memory of 668 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 28 PID 1744 wrote to memory of 668 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 28 PID 1744 wrote to memory of 668 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 28 PID 1744 wrote to memory of 668 1744 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 28 PID 668 wrote to memory of 1652 668 explorer.exe 29 PID 668 wrote to memory of 1652 668 explorer.exe 29 PID 668 wrote to memory of 1652 668 explorer.exe 29 PID 668 wrote to memory of 1652 668 explorer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe"C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\4080\Info\explorer.exeC:\Windows\4080\Info\explorer.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\4080\taskmgr.exeC:\Windows\4080\taskmgr.exe3⤵
- Executes dropped EXE
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb