d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6

Analysis

max time kernel
185s
max time network
117s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
Size

140KB
MD5

3193db93a537528782b1ba428b370980
SHA1

7271acf3a4accdd81749a9015d0a42b28a3d717b
SHA256

d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6
SHA512

4500ebb4e1e99885d106fd3260553db1ad9da9e47fa5c926ce37178895d1c9582400b9a40090b60a49c49dd260230d93f076065be1cdfaf2e14085778488a3e6
SSDEEP

1536:f+NQe6VtKycXYAcANSU+MNG5ipzqNbCa34YaI77UsMJn1ogCnzqLcTJLO01DvqKF:IZeKyEYnAz4R77UsMJn1oyfG+gx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nunas.exe

Executes dropped EXE 1 IoCs

pid	Process
788	nunas.exe

Loads dropped DLL 2 IoCs

pid	Process
932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /p"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /f"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /a"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /h"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /b"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /q"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /l"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /v"	nunas.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /g"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /e"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /k"	nunas.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /y"	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /t"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /c"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /w"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /o"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /i"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /d"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /m"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /s"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /u"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /x"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /j"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /z"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /r"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /n"	nunas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunas = "C:\\Users\\Admin\\nunas.exe /y"	nunas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe
788	nunas.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
788	nunas.exe
788	nunas.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 788	932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe	28
PID 932 wrote to memory of 788	932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe	28
PID 932 wrote to memory of 788	932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe	28
PID 932 wrote to memory of 788	932	d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe	28

C:\Users\Admin\AppData\Local\Temp\d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe
"C:\Users\Admin\AppData\Local\Temp\d05d40d34639e9a5d782cf87d5c7117ff2496fd69648f9ccfe999cdb0d6617b6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\nunas.exe
  "C:\Users\Admin\nunas.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\nunas.exe

Filesize
140KB

MD5
8d9ac466b84ca26fc8eb726f91d2ebb5

SHA1
ee626e31d52da5c65421961b8bce8dc14f1fe077

SHA256
b2f8eaf893fcfe957ffb35bb73ccba20fc2cfa59c83618efaf538479304dae4c

SHA512
86f9418742b7d7232da06101ce3b341fbac7e9018554c205404ced97620021467ab2d6e2cd2e68dfea7837a72217b9b669aa28d8a6549b63c8d8c7f2d9981a06

Download Submit
C:\Users\Admin\nunas.exe

Filesize
140KB

MD5
8d9ac466b84ca26fc8eb726f91d2ebb5

SHA1
ee626e31d52da5c65421961b8bce8dc14f1fe077

SHA256
b2f8eaf893fcfe957ffb35bb73ccba20fc2cfa59c83618efaf538479304dae4c

SHA512
86f9418742b7d7232da06101ce3b341fbac7e9018554c205404ced97620021467ab2d6e2cd2e68dfea7837a72217b9b669aa28d8a6549b63c8d8c7f2d9981a06

Download Submit
\Users\Admin\nunas.exe

Filesize
140KB

MD5
8d9ac466b84ca26fc8eb726f91d2ebb5

SHA1
ee626e31d52da5c65421961b8bce8dc14f1fe077

SHA256
b2f8eaf893fcfe957ffb35bb73ccba20fc2cfa59c83618efaf538479304dae4c

SHA512
86f9418742b7d7232da06101ce3b341fbac7e9018554c205404ced97620021467ab2d6e2cd2e68dfea7837a72217b9b669aa28d8a6549b63c8d8c7f2d9981a06

Download Submit
\Users\Admin\nunas.exe

Filesize
140KB

MD5
8d9ac466b84ca26fc8eb726f91d2ebb5

SHA1
ee626e31d52da5c65421961b8bce8dc14f1fe077

SHA256
b2f8eaf893fcfe957ffb35bb73ccba20fc2cfa59c83618efaf538479304dae4c

SHA512
86f9418742b7d7232da06101ce3b341fbac7e9018554c205404ced97620021467ab2d6e2cd2e68dfea7837a72217b9b669aa28d8a6549b63c8d8c7f2d9981a06

Download Submit
memory/932-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download