71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f

Analysis

max time kernel
163s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 07:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe
Size

519KB
MD5

992f4276dba125b14c0e7975efc1864f
SHA1

bb2528b419df88095375b130847e72f46b0720e9
SHA256

71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f
SHA512

6a95f6b91d9799540e8cfd3c08e633ac6196ea94899378a96bf62eb42fdb81daa06fbef16b896924b0b6355179a6a56603a69c4c23dfbc6ed264e08256c5cac8
SSDEEP

12288:LuoEYo9X2oGzK/OtD0IFaoX2/WLBJz56d5fEUEyS:LjEYo52fG/BoX2QBviEqS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1548	Launcher.exe
1920	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Loads dropped DLL 1 IoCs

pid	Process
2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022e61-146.dat	nsis_installer_1
behavioral2/files/0x0007000000022e61-146.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1920	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe
1920	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1548	2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe	86
PID 2952 wrote to memory of 1548	2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe	86
PID 2952 wrote to memory of 1548	2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe	86
PID 2952 wrote to memory of 1920	2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe	87
PID 2952 wrote to memory of 1920	2952	71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe	87

C:\Users\Admin\AppData\Local\Temp\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe
"C:\Users\Admin\AppData\Local\Temp\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\Launcher.exe /in="e71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe" /out="71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe" /psw="951161b970164e2f99fbb801913c7c1e" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe
  C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe /path="C:\Users\Admin\AppData\Local\Temp\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Filesize
388KB

MD5
a7fce30cee6ef7e26cebf055bd6c0fcb

SHA1
a639ed56b4be7da69031475d0b786c6e0c527bff

SHA256
decf5547df4617b929aca2f6c4b638ee6e900102b271b47eedd3f31ff9cf29c6

SHA512
5795e9869a41a61fcb8bbe18ebc5768a0db00e378fdf5409c299fbbcabec7f9c0cacdb3ac0a1ff5228e5d8bb3668e4fca065416122a664de2d65ae5d6e242c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Filesize
388KB

MD5
a7fce30cee6ef7e26cebf055bd6c0fcb

SHA1
a639ed56b4be7da69031475d0b786c6e0c527bff

SHA256
decf5547df4617b929aca2f6c4b638ee6e900102b271b47eedd3f31ff9cf29c6

SHA512
5795e9869a41a61fcb8bbe18ebc5768a0db00e378fdf5409c299fbbcabec7f9c0cacdb3ac0a1ff5228e5d8bb3668e4fca065416122a664de2d65ae5d6e242c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\Launcher.exe

Filesize
104KB

MD5
8e57cfe6b89daab50f27da3daef8fa50

SHA1
99a4c5ef9e0591c54c347f306bfa36b05eb4aa3a

SHA256
3300290eb31f24ae4ebf056ccd2d6f5b37a7e95ef10ceb71e4af3a31ff1e77fe

SHA512
6c72665541b09abb063068f2036b67a036218942adec2cb08d1b54a44fd7f46a6807e2514e850cb1fbfbf53f02c0125ec8d5cf24d9a6bc6554457acb12d78993

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\Launcher.exe

Filesize
104KB

MD5
8e57cfe6b89daab50f27da3daef8fa50

SHA1
99a4c5ef9e0591c54c347f306bfa36b05eb4aa3a

SHA256
3300290eb31f24ae4ebf056ccd2d6f5b37a7e95ef10ceb71e4af3a31ff1e77fe

SHA512
6c72665541b09abb063068f2036b67a036218942adec2cb08d1b54a44fd7f46a6807e2514e850cb1fbfbf53f02c0125ec8d5cf24d9a6bc6554457acb12d78993

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\e71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe

Filesize
388KB

MD5
547611d5910f6d5e783bbb6e3bdbf02b

SHA1
68ef77375958a357a771b95e45ffd760b79ae320

SHA256
3e352f16d25022d642ebd6932c6f4e02d7c8700e459397e6f800534c2b9ec4d4

SHA512
ddae8d83ed18413ef1a8e249a16292f18053aa328094604cbd56c88cac8a37f7a9380c7b11dab14dcba173eb35765deba6369e66589902b924b54f0ffb22b977

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f.exe\chGWkQXp6tl9CbC\installer.exe

Filesize
519KB

MD5
992f4276dba125b14c0e7975efc1864f

SHA1
bb2528b419df88095375b130847e72f46b0720e9

SHA256
71bbd06d37c2c276e5577a9579f00c3d91ac7f68c2f5d11ddbaebba82d413d2f

SHA512
6a95f6b91d9799540e8cfd3c08e633ac6196ea94899378a96bf62eb42fdb81daa06fbef16b896924b0b6355179a6a56603a69c4c23dfbc6ed264e08256c5cac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDB20.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/1548-138-0x0000000073000000-0x00000000735B1000-memory.dmp

Filesize
5.7MB

Download
memory/1920-143-0x00007FF9BF270000-0x00007FF9BFCA6000-memory.dmp

Filesize
10.2MB

Download
memory/1920-144-0x0000000000D4A000-0x0000000000D4F000-memory.dmp

Filesize
20KB

Download
memory/1920-145-0x0000000000D4A000-0x0000000000D4F000-memory.dmp

Filesize
20KB

Download