af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe
Size

510KB
MD5

310fa91d37978cfaf44feac43c97ae51
SHA1

25e819063d3dfaa427cd5c24a4ba378bd58b8d53
SHA256

af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c
SHA512

5bde41cea18bc3d21bca28a7583eba41bb01821ba7d8bbc21edb72be359000a98b3579ea73c888fbdd48aabbf1a442a4309deef19bc23cc06118965b29432eb1
SSDEEP

12288:muoP0N8Pu4xHFGx27cGrAbhfTYawhJdxLs4Kr4AO:mjP0NNWE2zrAbhfD4Vs45

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4872	Launcher.exe
1864	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Loads dropped DLL 1 IoCs

pid	Process
3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0003000000000721-146.dat	nsis_installer_1
behavioral2/files/0x0003000000000721-146.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1864	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe
1864	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4872	3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe	79
PID 3260 wrote to memory of 4872	3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe	79
PID 3260 wrote to memory of 4872	3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe	79
PID 3260 wrote to memory of 1864	3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe	80
PID 3260 wrote to memory of 1864	3260	af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe	80

C:\Users\Admin\AppData\Local\Temp\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe
"C:\Users\Admin\AppData\Local\Temp\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\Launcher.exe /in="eaf826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe" /out="af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe" /psw="952cbe682fbe401aa537c6a61cf687b8" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe
  C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe /path="C:\Users\Admin\AppData\Local\Temp\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\Launcher.exe

Filesize
104KB

MD5
59160334f00327274ae72fb674d80f9f

SHA1
adfa4abda4e90321a8ee1acee15b5f6899a2489b

SHA256
7364476ff2ce59a2bb878eb09efe51e0bea948ef0ea7344410777d43feff8a70

SHA512
4a5594903e9ca0e9fcaf55a3a3ddc8895134bcada923dddf4f9d1d47b9bebd75a3e83a5bdcc97dfba19aff11b14c0fac8529bdc71c2f0ccdc2a48e1f31fc749d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\Launcher.exe

Filesize
104KB

MD5
59160334f00327274ae72fb674d80f9f

SHA1
adfa4abda4e90321a8ee1acee15b5f6899a2489b

SHA256
7364476ff2ce59a2bb878eb09efe51e0bea948ef0ea7344410777d43feff8a70

SHA512
4a5594903e9ca0e9fcaf55a3a3ddc8895134bcada923dddf4f9d1d47b9bebd75a3e83a5bdcc97dfba19aff11b14c0fac8529bdc71c2f0ccdc2a48e1f31fc749d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Filesize
380KB

MD5
0b863a091adf59a623070bf14678b0df

SHA1
33fb240ba289b72b2191c8a5d508627ee7239926

SHA256
8686bce4ff8edf25b0f928c197d727063e6e0c17e3ba2ad12d852cf0f502665c

SHA512
c30e705e543a98a8648ec598bc0444b79158632288d141c0720b751f437576a5a0b421948c06035d620d15eb4f3634d9a3d5985f750e3b4571327a99fe0ecd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Filesize
380KB

MD5
0b863a091adf59a623070bf14678b0df

SHA1
33fb240ba289b72b2191c8a5d508627ee7239926

SHA256
8686bce4ff8edf25b0f928c197d727063e6e0c17e3ba2ad12d852cf0f502665c

SHA512
c30e705e543a98a8648ec598bc0444b79158632288d141c0720b751f437576a5a0b421948c06035d620d15eb4f3634d9a3d5985f750e3b4571327a99fe0ecd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\eaf826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe

Filesize
380KB

MD5
3a9a176d410d4c6a510af88d2e0a2fa1

SHA1
4893510bde239d2c3bd5f8a57184889b4033710b

SHA256
b9e84b9bf1eb47466678d80109d1d43838bb788d5b82a3c6ab484806e0c4d134

SHA512
310f1f05645ec1ae402940e5dbffe9c3e57022310b1d27e82bb9e37cc14b68b3245696cda7a4a8f4d6d9cda57116e12fc553b7dcc4d2a2047eae36e5bc407b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c.exe\TC01Y1PwI2YaIqY\installer.exe

Filesize
510KB

MD5
310fa91d37978cfaf44feac43c97ae51

SHA1
25e819063d3dfaa427cd5c24a4ba378bd58b8d53

SHA256
af826a1f0efe49b8ae4ad033c01f6628a0a6e76b41b0e0890ff53386a799583c

SHA512
5bde41cea18bc3d21bca28a7583eba41bb01821ba7d8bbc21edb72be359000a98b3579ea73c888fbdd48aabbf1a442a4309deef19bc23cc06118965b29432eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshF36F.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/1864-144-0x00007FFA65F10000-0x00007FFA66946000-memory.dmp

Filesize
10.2MB

Download
memory/1864-145-0x00000000012FA000-0x00000000012FF000-memory.dmp

Filesize
20KB

Download
memory/1864-147-0x00000000012FA000-0x00000000012FF000-memory.dmp

Filesize
20KB

Download
memory/4872-137-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/4872-139-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download