ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
Size

196KB
MD5

213a226f4c48f52f5717e1b8ce285680
SHA1

45605fa3b820d9a13ff2f3723d035adc6f476e28
SHA256

ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473
SHA512

f6f9eb6d6b04de4717766ce5ec96d9b21871e7bdd9ba790b7b082602cdceae9f5b82616add056d5cadc3acc7728de1d6b12c2063609fee13e261e4e56e0b8612
SSDEEP

6144:2r/hO/X39JyFqNZhf8rH9II4dr/hO/X39Jp:u/h+X6sfKCI4J/h+Xx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
892	lsass.exe
544	smss.exe
320	smss.exe
1292	smss.exe
336	smss.exe
572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp
1528	smss.exe
1152	Au_.exe
1380	smss.exe

Loads dropped DLL 19 IoCs

pid	Process
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
892	lsass.exe
892	lsass.exe
892	lsass.exe
892	lsass.exe
892	lsass.exe
892	lsass.exe
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
892	lsass.exe
892	lsass.exe
572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp
1152	Au_.exe
1152	Au_.exe
1152	Au_.exe
892	lsass.exe
892	lsass.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\com\smss.exe	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
File created	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b0000000122f9-79.dat	nsis_installer_1
behavioral1/files/0x000800000001231c-86.dat	nsis_installer_1
behavioral1/files/0x000800000001231c-81.dat	nsis_installer_1
behavioral1/files/0x000800000001231c-90.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-99.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-101.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-104.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-103.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-106.dat	nsis_installer_1
behavioral1/files/0x0009000000012324-105.dat	nsis_installer_1

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
892	lsass.exe
892	lsass.exe
320	smss.exe
544	smss.exe
1292	smss.exe
336	smss.exe
1528	smss.exe
1380	smss.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 892	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	27
PID 2032 wrote to memory of 892	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	27
PID 2032 wrote to memory of 892	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	27
PID 2032 wrote to memory of 892	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	27
PID 2032 wrote to memory of 544	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	28
PID 2032 wrote to memory of 544	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	28
PID 2032 wrote to memory of 544	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	28
PID 2032 wrote to memory of 544	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	28
PID 892 wrote to memory of 320	892	lsass.exe	29
PID 892 wrote to memory of 320	892	lsass.exe	29
PID 892 wrote to memory of 320	892	lsass.exe	29
PID 892 wrote to memory of 320	892	lsass.exe	29
PID 892 wrote to memory of 1292	892	lsass.exe	30
PID 892 wrote to memory of 1292	892	lsass.exe	30
PID 892 wrote to memory of 1292	892	lsass.exe	30
PID 892 wrote to memory of 1292	892	lsass.exe	30
PID 892 wrote to memory of 336	892	lsass.exe	31
PID 892 wrote to memory of 336	892	lsass.exe	31
PID 892 wrote to memory of 336	892	lsass.exe	31
PID 892 wrote to memory of 336	892	lsass.exe	31
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 2032 wrote to memory of 572	2032	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe	32
PID 892 wrote to memory of 1528	892	lsass.exe	33
PID 892 wrote to memory of 1528	892	lsass.exe	33
PID 892 wrote to memory of 1528	892	lsass.exe	33
PID 892 wrote to memory of 1528	892	lsass.exe	33
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 572 wrote to memory of 1152	572	ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp	34
PID 892 wrote to memory of 1380	892	lsass.exe	35
PID 892 wrote to memory of 1380	892	lsass.exe	35
PID 892 wrote to memory of 1380	892	lsass.exe	35
PID 892 wrote to memory of 1380	892	lsass.exe	35

C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe
"C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\com\lsass.exe
  "C:\Windows\system32\com\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1292
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:336
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\com\smss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1380
- C:\Windows\SysWOW64\com\smss.exe
  C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~|C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
40KB

MD5
25b88abe85cad55ea48eb829eae6f42b

SHA1
307b01d5a8fb8bdfba8c5907ff5ce8cefd480aa5

SHA256
502d11475359bec0d602ca2010ce8714be61dd742e8248df54f02716329a8fb3

SHA512
21a6c8098c8b8f24a7fa3d23b68617f67a19b62cebbbe7ee62e822b55e683fbcacfc28f33d3204ad845f6568fc2865d7960080c7b656360b9722061241eec921

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
40KB

MD5
25b88abe85cad55ea48eb829eae6f42b

SHA1
307b01d5a8fb8bdfba8c5907ff5ce8cefd480aa5

SHA256
502d11475359bec0d602ca2010ce8714be61dd742e8248df54f02716329a8fb3

SHA512
21a6c8098c8b8f24a7fa3d23b68617f67a19b62cebbbe7ee62e822b55e683fbcacfc28f33d3204ad845f6568fc2865d7960080c7b656360b9722061241eec921

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
C:\pagefile.pif

Filesize
40KB

MD5
25b88abe85cad55ea48eb829eae6f42b

SHA1
307b01d5a8fb8bdfba8c5907ff5ce8cefd480aa5

SHA256
502d11475359bec0d602ca2010ce8714be61dd742e8248df54f02716329a8fb3

SHA512
21a6c8098c8b8f24a7fa3d23b68617f67a19b62cebbbe7ee62e822b55e683fbcacfc28f33d3204ad845f6568fc2865d7960080c7b656360b9722061241eec921

Download Submit
\Users\Admin\AppData\Local\Temp\ef77d2fe49af7851e67ed03e4deaa4df063748270170aa6c8c1c5085626bb473.~tmp

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
116KB

MD5
d388717f9841ec07accbb83b6ecff60a

SHA1
668871817385fc82dac2f5b3f90add4522d0f718

SHA256
55c8bc34274334c3910fea7ddab9b86eb53096acd3bcf10a762b2d3e081d20d2

SHA512
d583f598b8a3c788661e5b4b15b0bde9f46cdb78e02b4f9073e36095a6ebaf98bbe152b9642d000b66822c83f58707e70a829f77a629c93e84d609c5c81cdb7c

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
40KB

MD5
25b88abe85cad55ea48eb829eae6f42b

SHA1
307b01d5a8fb8bdfba8c5907ff5ce8cefd480aa5

SHA256
502d11475359bec0d602ca2010ce8714be61dd742e8248df54f02716329a8fb3

SHA512
21a6c8098c8b8f24a7fa3d23b68617f67a19b62cebbbe7ee62e822b55e683fbcacfc28f33d3204ad845f6568fc2865d7960080c7b656360b9722061241eec921

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
40KB

MD5
25b88abe85cad55ea48eb829eae6f42b

SHA1
307b01d5a8fb8bdfba8c5907ff5ce8cefd480aa5

SHA256
502d11475359bec0d602ca2010ce8714be61dd742e8248df54f02716329a8fb3

SHA512
21a6c8098c8b8f24a7fa3d23b68617f67a19b62cebbbe7ee62e822b55e683fbcacfc28f33d3204ad845f6568fc2865d7960080c7b656360b9722061241eec921

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
5KB

MD5
f2dd64a520abbc1131b52009514ad014

SHA1
316a2cd3cdd3e60b6d655bf0e18d8334b84d09b6

SHA256
103093a6b5fe09d87d9a0e8575863dbca9933a24cb744a5c392e1b03a4f7ebf5

SHA512
2affba32899644ff700ed2cfc1a30301abe16aca31f96e4a7fc02d921f59ebe9a1c613a9b5b2b8a0439bf3b1e795f69c5b044501de2333a6dec4470edef85a14

Download Submit
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads