248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
Size

81KB
MD5

e504515dc903231608e6bc56b139fc50
SHA1

79f30e453540dbf720c13e1d31df74b8aed0b6c0
SHA256

248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6
SHA512

31830c675ce22a4c7f7f81d43cbc0fa557e37d213174c024f07562e01e932591474ad1c8010487e26b11e08425058b0e63a8ab4fc30a8d3c4d42c8964215b9cb
SSDEEP

1536:xPx/CJAmx2/W5Ebnto4tmJLGA0xoHV96cBuolLzD01hvgRQTuW8wTEpeGU:tx6UW6tpmJLAxoHVkcAodoKWKw

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
File created	C:\Windows\system32\drivers\etc\h1	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe

Loads dropped DLL 9 IoCs

pid	Process
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
544	taskkill.exe
2816	taskkill.exe
4244	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 544	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	81
PID 4656 wrote to memory of 544	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	81
PID 4656 wrote to memory of 544	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	81
PID 4656 wrote to memory of 2816	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	83
PID 4656 wrote to memory of 2816	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	83
PID 4656 wrote to memory of 2816	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	83
PID 4656 wrote to memory of 3208	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	85
PID 4656 wrote to memory of 3208	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	85
PID 4656 wrote to memory of 3208	4656	248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe	85
PID 3208 wrote to memory of 4244	3208	cmd.exe	87
PID 3208 wrote to memory of 4244	3208	cmd.exe	87
PID 3208 wrote to memory of 4244	3208	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe
"C:\Users\Admin\AppData\Local\Temp\248d16dcce985ad49ec0da7e15c18bbd9115010d17987b6578f952c43b9d1dc6.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSASCui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSASCui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c GG.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im GreenAV_Install.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GG.bat

Filesize
136B

MD5
e70fdd1e0960aff7b3143a044732c02d

SHA1
bac9c49168922ebef62ab770cac5d860b10e5783

SHA256
19fc544edcf0e81eccb6e671d4682008af40ef34beeafff4f26ded5bd71046ce

SHA512
5b80984631e0a5be86060e27b5ed3ba8458a1e41ef4b2e7212bfd44f4651e3557d913f881b1505391ca9950ecae0b1509ec77762967a9d362a739ee8c93a4c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\exdll.dll

Filesize
11KB

MD5
d62c4ac2c1c79110e389ede304d09332

SHA1
07369488c9073a07c9acb78d7951b7c9e84c39c1

SHA256
bb8606f5cb3443adb8331f59d5f811caf9142195e89e877d31a5d75b40505422

SHA512
618c1ee9a54af74370d485029881624596f1a3fe8031910d70d5e5ea79f441dca2af875334cb1fb2484ffa7908ae1edd67c4e9ba0fdf2227847afee21f68ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\nsExec.dll

Filesize
6KB

MD5
a889199cc043f1123ea6653eeb61575b

SHA1
2e45d19055b711689ca89520222ea7fd68696e89

SHA256
d766c872188ba22284bf577462a37e71d2b174661a1d463f3b35548ca77598c2

SHA512
a378bc22e3e617da9f7757f98e3e1d5c4c357ff2333fb1dbf74525dee6a6cb03fda902dbd6f6e137fbc21e578ccffb3e109039e519717beda2f5e177656dbb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7390.tmp\nsExec.dll

Filesize
6KB

MD5
a889199cc043f1123ea6653eeb61575b

SHA1
2e45d19055b711689ca89520222ea7fd68696e89

SHA256
d766c872188ba22284bf577462a37e71d2b174661a1d463f3b35548ca77598c2

SHA512
a378bc22e3e617da9f7757f98e3e1d5c4c357ff2333fb1dbf74525dee6a6cb03fda902dbd6f6e137fbc21e578ccffb3e109039e519717beda2f5e177656dbb73

Download Submit