14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72

Analysis

max time kernel
173s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
Size

518KB
MD5

ac11eb72ce91ac8c2b066612be8e2ef8
SHA1

d8d10f4dfe4049f0e510c3b98d79e013660d2a4a
SHA256

14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72
SHA512

87197a5d8067dc01acd894eb735d80e3937288909ff6d300af76511030dba92ecfae9af3feaac7a4e17413cbdc211fa2fd54a7c079a554049b91d2faa5871723
SSDEEP

12288:WuoxwConp+xd89eXSsoeKgiJy97EX3vfLBukxxn4cO7q/QzwqML1U7EJ:Wjxwpp+xauSsX0RnvfLZx4cO71MqCr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
784	Launcher.exe
1260	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Loads dropped DLL 3 IoCs

pid	Process
936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000013ba1-74.dat	nsis_installer_1
behavioral1/files/0x0007000000013ba1-74.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1260	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
1260	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 784	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	28
PID 936 wrote to memory of 1260	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	29
PID 936 wrote to memory of 1260	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	29
PID 936 wrote to memory of 1260	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	29
PID 936 wrote to memory of 1260	936	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	29

C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
"C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe /in="e14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe" /out="14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe" /psw="325e8b726dd04e16ad27a069215a215f" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
  C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe /path="C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
ef17d11b2024201fa14abdf44d18606d

SHA1
07a035a5743f2f6e50d898e2691d0c728d9d482c

SHA256
d4fe14ffa0ead1fbaffee535f198d0e247e1856f151255837f46757c913469ea

SHA512
ec23667ba1c6f50c1a61eb4905fec237f8a6aaa20cfbfed242790f3db87dc9434f9580450856a6563ede684ae360a6095f05f2d1a3d3d56e4bad3c20108dc5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
ef17d11b2024201fa14abdf44d18606d

SHA1
07a035a5743f2f6e50d898e2691d0c728d9d482c

SHA256
d4fe14ffa0ead1fbaffee535f198d0e247e1856f151255837f46757c913469ea

SHA512
ec23667ba1c6f50c1a61eb4905fec237f8a6aaa20cfbfed242790f3db87dc9434f9580450856a6563ede684ae360a6095f05f2d1a3d3d56e4bad3c20108dc5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe

Filesize
104KB

MD5
079afdb2d8e7ba0148739644baa2d96b

SHA1
e2a50f8f5ed71b910cc56f72b6a8972ff03aa814

SHA256
9c12d7b7dfb5658475251c0a90f2f733fcd2a6c43f4d94f3f82e9f03693e772d

SHA512
b03f17c57868f0987632895ec1413a4c64a61f1bc38d6035ad5fd44114bfedf431a97abc22e7027967ca50a614f72c798ef1960ea718b08993854115718883d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe

Filesize
104KB

MD5
079afdb2d8e7ba0148739644baa2d96b

SHA1
e2a50f8f5ed71b910cc56f72b6a8972ff03aa814

SHA256
9c12d7b7dfb5658475251c0a90f2f733fcd2a6c43f4d94f3f82e9f03693e772d

SHA512
b03f17c57868f0987632895ec1413a4c64a61f1bc38d6035ad5fd44114bfedf431a97abc22e7027967ca50a614f72c798ef1960ea718b08993854115718883d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\e14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
9d46c414841671ec396f6e8b80427911

SHA1
2fd7aa3016d974b18ddbff20ec2e6006a0066993

SHA256
0b4af485e10fe21f6c592944f89c38e57a65f3a8c3b3bd0ac0f3b58a9dec9af7

SHA512
fca64190f765129554b77085beddabfd174668fd7c5db506a03a2254d314f7560c99c94f1f6715fbb846485ce951683faf4604df77d9ee3b068cbc6b15c78227

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\installer.exe

Filesize
518KB

MD5
ac11eb72ce91ac8c2b066612be8e2ef8

SHA1
d8d10f4dfe4049f0e510c3b98d79e013660d2a4a

SHA256
14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72

SHA512
87197a5d8067dc01acd894eb735d80e3937288909ff6d300af76511030dba92ecfae9af3feaac7a4e17413cbdc211fa2fd54a7c079a554049b91d2faa5871723

Download Submit
\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
ef17d11b2024201fa14abdf44d18606d

SHA1
07a035a5743f2f6e50d898e2691d0c728d9d482c

SHA256
d4fe14ffa0ead1fbaffee535f198d0e247e1856f151255837f46757c913469ea

SHA512
ec23667ba1c6f50c1a61eb4905fec237f8a6aaa20cfbfed242790f3db87dc9434f9580450856a6563ede684ae360a6095f05f2d1a3d3d56e4bad3c20108dc5cf

Download Submit
\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\AbZIevZd5vgXxxB\Launcher.exe

Filesize
104KB

MD5
079afdb2d8e7ba0148739644baa2d96b

SHA1
e2a50f8f5ed71b910cc56f72b6a8972ff03aa814

SHA256
9c12d7b7dfb5658475251c0a90f2f733fcd2a6c43f4d94f3f82e9f03693e772d

SHA512
b03f17c57868f0987632895ec1413a4c64a61f1bc38d6035ad5fd44114bfedf431a97abc22e7027967ca50a614f72c798ef1960ea718b08993854115718883d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy698.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/784-66-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/784-64-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/784-63-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/936-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/936-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1260-72-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/1260-73-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmp

Filesize
16.6MB

Download