107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69

Analysis

max time kernel
135s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
Size

528KB
MD5

87d5bee855cbe83a4ad1a8d86e0a3363
SHA1

d63d206af4d7ace5568eea53818cbda9bd9d47ad
SHA256

107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69
SHA512

d945678407fa3df1f29ee6d169bcdf94b618b985ca856b7a3299f74c3fe86c4731e375e457535196a3bbed021ee91d0f33a260e8fb6647af4d1a47384e2a5dc3
SSDEEP

12288:KuoxCf/HOWVYS9do6J5s3bHbYY7UhbBEq1i38As75Ai2VVVEX:KjxEfnHdjJ5s7H7UhFa8AL3Xu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
948	Launcher.exe
1312	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Loads dropped DLL 4 IoCs

pid	Process
1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000146a9-73.dat	nsis_installer_1
behavioral1/files/0x00060000000146a9-73.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1312	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
1312	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 948	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	26
PID 1508 wrote to memory of 1312	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	27
PID 1508 wrote to memory of 1312	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	27
PID 1508 wrote to memory of 1312	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	27
PID 1508 wrote to memory of 1312	1508	107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe	27

C:\Users\Admin\AppData\Local\Temp\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
"C:\Users\Admin\AppData\Local\Temp\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe /in="e107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe" /out="107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe" /psw="6c6cb8aed33845b7a102658860caa25c" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe
  C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe /path="C:\Users\Admin\AppData\Local\Temp\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Filesize
390KB

MD5
11ba4a3ce3f5e2eb73e2f3bc64268a8e

SHA1
284a1a6c776316e63b2ba121824f1619f8727727

SHA256
8312b2cd9402cd3ac935aafc6baf1085d8963bc93d6cdd67219db458821c07c7

SHA512
34937e1297c44c8f33ee4d2e374d25b5f96baa16df0adaba03162a681090165f240545cb053979a8d955ebfb7f495a4513013bacf76a13e9ed33140a96e3a486

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Filesize
390KB

MD5
11ba4a3ce3f5e2eb73e2f3bc64268a8e

SHA1
284a1a6c776316e63b2ba121824f1619f8727727

SHA256
8312b2cd9402cd3ac935aafc6baf1085d8963bc93d6cdd67219db458821c07c7

SHA512
34937e1297c44c8f33ee4d2e374d25b5f96baa16df0adaba03162a681090165f240545cb053979a8d955ebfb7f495a4513013bacf76a13e9ed33140a96e3a486

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe

Filesize
104KB

MD5
28615447d865c19b021f7affdc951f3c

SHA1
6dcb03af13236c5b70fde8cda0adfb42eae06d43

SHA256
ecd41061053f80161d159668ce71d0f3169ba01b0579c90c05d8a19ed71bd346

SHA512
f361533dc8cc4a5abb97042162d7516eec92643ec9bcc68b1d0da02e121d5623411fdd75c0307f3e0ed2b27554710bf0500bd65105a0fea27db71fafd9e2018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe

Filesize
104KB

MD5
28615447d865c19b021f7affdc951f3c

SHA1
6dcb03af13236c5b70fde8cda0adfb42eae06d43

SHA256
ecd41061053f80161d159668ce71d0f3169ba01b0579c90c05d8a19ed71bd346

SHA512
f361533dc8cc4a5abb97042162d7516eec92643ec9bcc68b1d0da02e121d5623411fdd75c0307f3e0ed2b27554710bf0500bd65105a0fea27db71fafd9e2018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\e107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Filesize
390KB

MD5
51444d26e00e7692046bbaedae456994

SHA1
3eaee4a9f44d4ec69f3d4fc99fdb224f5fcd906d

SHA256
2d2f74c9a1d9ad897ea7f69296e3bb3324b734c899dd7a2396df33e8dbbaf9f2

SHA512
9b035716454beb46bf864c37b1fd9361782774ac1caf6455fe3d827a729f2a325b70a06bce895e90ebf4eb1518c7fe4f097fbe820eaa802d6a968de35d039815

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\installer.exe

Filesize
528KB

MD5
87d5bee855cbe83a4ad1a8d86e0a3363

SHA1
d63d206af4d7ace5568eea53818cbda9bd9d47ad

SHA256
107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69

SHA512
d945678407fa3df1f29ee6d169bcdf94b618b985ca856b7a3299f74c3fe86c4731e375e457535196a3bbed021ee91d0f33a260e8fb6647af4d1a47384e2a5dc3

Download Submit
\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe

Filesize
390KB

MD5
11ba4a3ce3f5e2eb73e2f3bc64268a8e

SHA1
284a1a6c776316e63b2ba121824f1619f8727727

SHA256
8312b2cd9402cd3ac935aafc6baf1085d8963bc93d6cdd67219db458821c07c7

SHA512
34937e1297c44c8f33ee4d2e374d25b5f96baa16df0adaba03162a681090165f240545cb053979a8d955ebfb7f495a4513013bacf76a13e9ed33140a96e3a486

Download Submit
\Users\Admin\AppData\Local\Temp\DM\107794945e300f51e4001d225fb18490e63500f500fc4a43a9cc0210f3ec9c69.exe\R3l53Qz7g17ZqW2\Launcher.exe

Filesize
104KB

MD5
28615447d865c19b021f7affdc951f3c

SHA1
6dcb03af13236c5b70fde8cda0adfb42eae06d43

SHA256
ecd41061053f80161d159668ce71d0f3169ba01b0579c90c05d8a19ed71bd346

SHA512
f361533dc8cc4a5abb97042162d7516eec92643ec9bcc68b1d0da02e121d5623411fdd75c0307f3e0ed2b27554710bf0500bd65105a0fea27db71fafd9e2018f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7B0C.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7B0C.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/948-65-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/1312-71-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/1312-72-0x000007FEF2370000-0x000007FEF3406000-memory.dmp

Filesize
16.6MB

Download
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1508-57-0x0000000074231000-0x0000000074233000-memory.dmp

Filesize
8KB

Download