a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe
Size

512KB
MD5

616f732e15129b64e091ec0a18415d9a
SHA1

3b0f71ecf9dbf8d452bb8a5747ea67054a7e4789
SHA256

a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145
SHA512

5c9cf156f7bebf7cb51aa1994482297ece268edcebdf74e3d97982e249a1d7d2e48dc066a99ca2c8af1508cb3ec0e378f47bbf418e90c3893c1954eb24910d8b
SSDEEP

12288:7uo7CBSGofL4lDq1YXP8HjQvin+ZcaBch/HSejusWv:7jbGojADq1YAQvbTUe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4444	Launcher.exe
1432	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Loads dropped DLL 1 IoCs

pid	Process
4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e09-145.dat	nsis_installer_1
behavioral2/files/0x0006000000022e09-145.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1432	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe
1432	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4444	4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe	81
PID 4612 wrote to memory of 4444	4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe	81
PID 4612 wrote to memory of 4444	4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe	81
PID 4612 wrote to memory of 1432	4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe	82
PID 4612 wrote to memory of 1432	4612	a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe	82

C:\Users\Admin\AppData\Local\Temp\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe
"C:\Users\Admin\AppData\Local\Temp\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\Launcher.exe /in="ea0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe" /out="a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe" /psw="fdf2cd8d042845dcb4961bb8949171b9" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe
  C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe /path="C:\Users\Admin\AppData\Local\Temp\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\Launcher.exe

Filesize
104KB

MD5
2bf993db138066c763cf62aedeb86f84

SHA1
61ef89a4d987001ccdc964cec075154062ac2c93

SHA256
f67255ce73d8228af98f7086b0ff36853dc59614620ff8e6cfaefcea390df9ad

SHA512
906060ed0629f438dda6443576ccfe54235a133c940b6ca4369f0de1829dfc1acd0b0868ac60d0ab3041b5747cd24a0393df4f35aafb638276b348c0f461f52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\Launcher.exe

Filesize
104KB

MD5
2bf993db138066c763cf62aedeb86f84

SHA1
61ef89a4d987001ccdc964cec075154062ac2c93

SHA256
f67255ce73d8228af98f7086b0ff36853dc59614620ff8e6cfaefcea390df9ad

SHA512
906060ed0629f438dda6443576ccfe54235a133c940b6ca4369f0de1829dfc1acd0b0868ac60d0ab3041b5747cd24a0393df4f35aafb638276b348c0f461f52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Filesize
382KB

MD5
5d346152bb7b442c02e4803d22733e89

SHA1
b0b0bf4148bcfac95ef6e86f4b0fe92110d0ed64

SHA256
c0250f0e6ec50abd270cfc59229c6ee7ae66ab64d599e75dfc8605d17c4e4290

SHA512
39d0e52f09a57d99d03d60f11f345c7de80eb284c91fbb6d1c1f050f50d40c226a2f20f10e84a56e53b4665683e3460322e0f86f0524e3e3ebf22c5c99c4dfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Filesize
382KB

MD5
5d346152bb7b442c02e4803d22733e89

SHA1
b0b0bf4148bcfac95ef6e86f4b0fe92110d0ed64

SHA256
c0250f0e6ec50abd270cfc59229c6ee7ae66ab64d599e75dfc8605d17c4e4290

SHA512
39d0e52f09a57d99d03d60f11f345c7de80eb284c91fbb6d1c1f050f50d40c226a2f20f10e84a56e53b4665683e3460322e0f86f0524e3e3ebf22c5c99c4dfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\ea0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe

Filesize
382KB

MD5
35dcc4433d6e52d013e2cff87584704f

SHA1
fd1f2365101ed7b2ffaac4599b095ab63b590287

SHA256
eb0c75e0c1eac0382a8195d0bd4797c82042fc6aeea0905c03e7e84fd9652ebf

SHA512
e879478ceb8458cf23d4bd988044ae1c0a26f707560277cba479b2d3a3b39f0cc26418b135b16b758677ace2247d4b8eae782b964a4b49db656234b2c0b07182

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145.exe\oMSIeCYzFnzxt0B\installer.exe

Filesize
512KB

MD5
616f732e15129b64e091ec0a18415d9a

SHA1
3b0f71ecf9dbf8d452bb8a5747ea67054a7e4789

SHA256
a0c7cf977faf1f5b5c79854a30b26b8c0bd15b293d1fbb2a6ccc296638f71145

SHA512
5c9cf156f7bebf7cb51aa1994482297ece268edcebdf74e3d97982e249a1d7d2e48dc066a99ca2c8af1508cb3ec0e378f47bbf418e90c3893c1954eb24910d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh81C9.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/1432-139-0x0000000000000000-mapping.dmp

Download
memory/1432-143-0x00007FFEA4480000-0x00007FFEA4EB6000-memory.dmp

Filesize
10.2MB

Download
memory/1432-144-0x00000000019AA000-0x00000000019AF000-memory.dmp

Filesize
20KB

Download
memory/1432-146-0x00000000019AA000-0x00000000019AF000-memory.dmp

Filesize
20KB

Download
memory/4444-138-0x0000000073470000-0x0000000073A21000-memory.dmp

Filesize
5.7MB

Download
memory/4444-133-0x0000000000000000-mapping.dmp

Download