1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05

Analysis

max time kernel
84s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe
Size

443KB
MD5

4da1c99491f8fd792653e82d7be6e300
SHA1

c2415eb23b274db34048c37b60ad098c1f6a5867
SHA256

1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05
SHA512

fffee2ad7dbda9de28f6af77bb55ced6c6657faaa880be9450b1e9bf3846ff45474cc83b93b6be2cb01da1548d4e83fc60a7f07c2e1bac28c66d1200e6495ff0
SSDEEP

12288:sZ+zxStcGJ7NZmATbPLAVvMPi8oUl/JtJsufeb:sZ+FAck7NZ9TDLoMr//JtJtK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2948	loading.exe
2652	devcon.exe
3320	devcon.exe

Loads dropped DLL 5 IoCs

pid	Process
2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe
2948	loading.exe
2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe
2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe
2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\gg123\install.exe	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0001000000022e00-133.dat	nsis_installer_2
behavioral2/files/0x0001000000022e00-134.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2948	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	80
PID 2928 wrote to memory of 2948	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	80
PID 2928 wrote to memory of 2948	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	80
PID 2928 wrote to memory of 2652	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	81
PID 2928 wrote to memory of 2652	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	81
PID 2928 wrote to memory of 2652	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	81
PID 2928 wrote to memory of 3320	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	83
PID 2928 wrote to memory of 3320	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	83
PID 2928 wrote to memory of 3320	2928	1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe	83

C:\Users\Admin\AppData\Local\Temp\1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe
"C:\Users\Admin\AppData\Local\Temp\1e0a296f99224505e0ae853ade10f1db2acdb377c2f0ab2a1063711f4eb24c05.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\loading.exe
  C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\loading.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe
  C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe disable =net
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe
  C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe enable =net
  2⤵
  - Executes dropped EXE
  PID:3320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nspD3E0.tmp\NxSMSILoaderDlg.dll

Filesize
48KB

MD5
63cf47a6dfed54d1a104660b39264919

SHA1
d829826e724fe49ee7bb56e31bb342e02a6d6b7b

SHA256
1726fc6a6d93ca8f1099d23c619f96e488fcc2bb94bc199a5163566ca68ab5cd

SHA512
1b141202e616fca492ce65d6bee577648a4a07bd7760a445bfe134d79ab2b4124b6cb68c01bbfbf086004a030955d1162b71ca42d732a2ba027e8ea5afbb9f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\InstallOptions.dll

Filesize
14KB

MD5
fa5beae80dba254fb6c21b58265f5310

SHA1
f2f776611dbbb157b151aa744a7e0be1d4b8c079

SHA256
34b8a2130729064ca2f9b3b8e6f90d883d84662156b648a4eeccefefc3473269

SHA512
7c74b9e9f1ff0665ffd6fcf76fca462d9f4fbd7c4a215bc67b419497ef4c3cb9cede6c5b0803cabb316bc5391c4c6f0d578d36e1094b8ed326b140f8e272b538

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe

Filesize
54KB

MD5
c4b470269324517ee838789c7cf5e606

SHA1
7005597d55fb26c6260e0772f301c79f030e6d56

SHA256
5f9b898315ad8192e87e21a499fd87d31b886513bb39d368476174aaa89a2bf9

SHA512
dbadca544434a847238bf107e59aa84bf8df9df899d0c2da2ee62cc28e12d175a81d4e4e0f85d7c394323bf66fb4ac0f413c949700ecdec9a73ed5cf9340aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe

Filesize
54KB

MD5
c4b470269324517ee838789c7cf5e606

SHA1
7005597d55fb26c6260e0772f301c79f030e6d56

SHA256
5f9b898315ad8192e87e21a499fd87d31b886513bb39d368476174aaa89a2bf9

SHA512
dbadca544434a847238bf107e59aa84bf8df9df899d0c2da2ee62cc28e12d175a81d4e4e0f85d7c394323bf66fb4ac0f413c949700ecdec9a73ed5cf9340aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\devcon.exe

Filesize
54KB

MD5
c4b470269324517ee838789c7cf5e606

SHA1
7005597d55fb26c6260e0772f301c79f030e6d56

SHA256
5f9b898315ad8192e87e21a499fd87d31b886513bb39d368476174aaa89a2bf9

SHA512
dbadca544434a847238bf107e59aa84bf8df9df899d0c2da2ee62cc28e12d175a81d4e4e0f85d7c394323bf66fb4ac0f413c949700ecdec9a73ed5cf9340aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\loading.exe

Filesize
51KB

MD5
7ad7c7ca70cd38b5c6cf52402c0f0972

SHA1
c0fabb8fc93f906515d7de0c105c603f18ab3b14

SHA256
428874130591f20d7b99da693b23c67b407f849eade42b28cc82bcd69179939e

SHA512
72849aadd80700fb13729b390d0cdd09282f3cba9acbd79bcfa095dfb4ef08a9fe83e5e94bb7c48f5533b2175f760f2d79f34dbca82c2e7ca045f44ab8725f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\loading.exe

Filesize
51KB

MD5
7ad7c7ca70cd38b5c6cf52402c0f0972

SHA1
c0fabb8fc93f906515d7de0c105c603f18ab3b14

SHA256
428874130591f20d7b99da693b23c67b407f849eade42b28cc82bcd69179939e

SHA512
72849aadd80700fb13729b390d0cdd09282f3cba9acbd79bcfa095dfb4ef08a9fe83e5e94bb7c48f5533b2175f760f2d79f34dbca82c2e7ca045f44ab8725f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\nsExec.dll

Filesize
6KB

MD5
1e16f1e4f6e9155d68a33501d5c36010

SHA1
2f5da34b1ca655b55739cc7455e94314aab7ddc9

SHA256
73a56cf3b8e4a3022304e7e2196aefd4104dce1e2055ca068e3ce7650597b6fc

SHA512
4c5990ff8799aea74983e5974072a2cf41cb28abac0a7691186fae31eec9920845fb71b86771a88a87cf79ad33ca184823522f24b38df3805c1b37d39876c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuD2C7.tmp\nsExec.dll

Filesize
6KB

MD5
1e16f1e4f6e9155d68a33501d5c36010

SHA1
2f5da34b1ca655b55739cc7455e94314aab7ddc9

SHA256
73a56cf3b8e4a3022304e7e2196aefd4104dce1e2055ca068e3ce7650597b6fc

SHA512
4c5990ff8799aea74983e5974072a2cf41cb28abac0a7691186fae31eec9920845fb71b86771a88a87cf79ad33ca184823522f24b38df3805c1b37d39876c037

Download Submit