c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad

Analysis

max time kernel
202s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe
Size

180KB
MD5

4b1247a5cdd57991a79f5c6893e9c18d
SHA1

d5005ed4c239d78a968bc62abf01bbfef0ecff9a
SHA256

c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad
SHA512

55fbdf1b74fc579c9c50ded0435f1987a45de5326c38180e0a5461cbfd46d84a92fa8b6e6ddb8016516b144e84b360f45a35d69a55006b9b01f05b2b1659d9bd
SSDEEP

3072:ke5ghsX8ojXJMPjZdIPPxbWaOrwQIJjfbisMCNsKD6t1RD2Y2KN+B5ezAl/6:hasRmPDEAvUXpsKD6tj5P+B8zAli

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	dnwc.exe

Loads dropped DLL 3 IoCs

pid	Process
1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe
1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe
1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1708	1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe	79
PID 1056 wrote to memory of 1708	1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe	79
PID 1056 wrote to memory of 1708	1056	c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe	79

C:\Users\Admin\AppData\Local\Temp\c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe
"C:\Users\Admin\AppData\Local\Temp\c0a5e5bbd06cc6d60a07fdc2317911c0a1cd44e671414ffcc58bba4292b6d5ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\dnwc.exe
  C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\dnwc.exe
  2⤵
  - Executes dropped EXE
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\UAC.dll

Filesize
13KB

MD5
431e5b960aa15af5d153bae6ba6b7e87

SHA1
e090c90be02e0bafe5f3d884c0525d8f87b3db40

SHA256
a6d956f28c32e8aa2ab2df13ef52637e23113fab41225031e7a3d47390a6cf13

SHA512
f1526c7e4d0fce8ab378e43e89aafb1d7e9d57ef5324501e804091e99331dd2544912181d6d4a07d30416fe17c892867c593aee623834935e11c7bb385c6a0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\dnwc.exe

Filesize
300KB

MD5
097e4d05ef82c424631bd09ce2ff9ba6

SHA1
b923dd67b3ec4963eb72669bf19a6135ad59cde1

SHA256
94a68873087e3728d21698d4bc073bab8d5703495ae68967af3edbd00f146452

SHA512
886b3a246030e4232e425800b53c4e98e741099c0cb5f7998a04fbdcef394626154d6cd6c20f191100497b0dff66f059db25cd03edfa76a45cfa47810abbd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\dnwc.exe

Filesize
300KB

MD5
097e4d05ef82c424631bd09ce2ff9ba6

SHA1
b923dd67b3ec4963eb72669bf19a6135ad59cde1

SHA256
94a68873087e3728d21698d4bc073bab8d5703495ae68967af3edbd00f146452

SHA512
886b3a246030e4232e425800b53c4e98e741099c0cb5f7998a04fbdcef394626154d6cd6c20f191100497b0dff66f059db25cd03edfa76a45cfa47810abbd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4911.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
memory/1056-135-0x0000000003251000-0x0000000003254000-memory.dmp

Filesize
12KB

Download
memory/1708-139-0x0000000073B40000-0x00000000740F1000-memory.dmp

Filesize
5.7MB

Download
memory/1708-140-0x0000000073B40000-0x00000000740F1000-memory.dmp

Filesize
5.7MB

Download