af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17

Analysis

max time kernel
57s
max time network
99s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe
Size

178KB
MD5

78c9f49106482e651dcd8d8198edecd7
SHA1

a4b2f890a32027f62c487ca891df32752c5c2c24
SHA256

af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17
SHA512

28e03b4b02737837df94df5924ca55a7c14bf0ac8044564a6ef13177250eaf5c8ed47a2eb7868491929a8845719de6803f426b75a8934797f8247a987fc8ced4
SSDEEP

3072:RnOn7t7XpdpCCTg/sxFgJgAG7uDC4fvS2v2C/AQHLSO9kOaZCMfb6EoHakqfTcPQ:RKpdcCrTLAGf9yH2OqJoHPPTE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	northstar.exe

Loads dropped DLL 2 IoCs

pid	Process
1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe
1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
904	northstar.exe
904	northstar.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 904	1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe	28
PID 1276 wrote to memory of 904	1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe	28
PID 1276 wrote to memory of 904	1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe	28
PID 1276 wrote to memory of 904	1276	af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe	28

C:\Users\Admin\AppData\Local\Temp\af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe
"C:\Users\Admin\AppData\Local\Temp\af9d63a1cb42cab4b44ac8db4f01fc8af4b838e46ed7eacf7ad13754b0a53a17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\northstar.exe
  C:\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\northstar.exe /dT201303201443 /u511a08f8-d444-49ec-a50d-7f125bc06f2f /e5614361
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\northstar.exe

Filesize
257KB

MD5
a767c2de2a3aa84e70da1230b2dd8f26

SHA1
92fc3b006b30b37e699d0cd1069391f3edd09fc8

SHA256
272ee7f5bffe70f329cfe9fcd7d61eb7a34c4dc2c5de3a6f5fd078962dcde7d3

SHA512
2beb66dad6db97d856cfe05daef19f3368c310ae10f27b90a541ae3be2ac15d6de0c2983df6d3b0f9722240bbd39e80ab9f0ef57e00eae16b72f3c98742e0496

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\northstar.exe

Filesize
257KB

MD5
a767c2de2a3aa84e70da1230b2dd8f26

SHA1
92fc3b006b30b37e699d0cd1069391f3edd09fc8

SHA256
272ee7f5bffe70f329cfe9fcd7d61eb7a34c4dc2c5de3a6f5fd078962dcde7d3

SHA512
2beb66dad6db97d856cfe05daef19f3368c310ae10f27b90a541ae3be2ac15d6de0c2983df6d3b0f9722240bbd39e80ab9f0ef57e00eae16b72f3c98742e0496

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\VPatch.dll

Filesize
10KB

MD5
20ee82203544c4f831a7dc1650e7ec51

SHA1
671affb8e32f06777483782197173af254e02548

SHA256
69a00c14562ea5a71f6196b307292fa6d8b1a2fc02368020f40c84b3b0a1a83a

SHA512
4dabcc0cfebb36cfe57fa05777224f45c04c84031cfecf4184bd95d2b148ce18a6c91655320e69c1709e740a261e1e25effc8395fed91d0fc61b18f9a9f7685f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD3C6.tmp\northstar.exe

Filesize
257KB

MD5
a767c2de2a3aa84e70da1230b2dd8f26

SHA1
92fc3b006b30b37e699d0cd1069391f3edd09fc8

SHA256
272ee7f5bffe70f329cfe9fcd7d61eb7a34c4dc2c5de3a6f5fd078962dcde7d3

SHA512
2beb66dad6db97d856cfe05daef19f3368c310ae10f27b90a541ae3be2ac15d6de0c2983df6d3b0f9722240bbd39e80ab9f0ef57e00eae16b72f3c98742e0496

Download Submit
memory/904-61-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/904-62-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/904-63-0x0000000000239000-0x000000000024A000-memory.dmp

Filesize
68KB

Download
memory/904-64-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/904-65-0x0000000000239000-0x000000000024A000-memory.dmp

Filesize
68KB

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download