9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a

Analysis

max time kernel
57s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 13:54

Target

9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
Size

401KB
MD5

3c2bd12f7b7bd7dce1356ee121390e59
SHA1

690d0ca0574f5ba2a3ec29ea1486b139b6c1444e
SHA256

9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a
SHA512

7a94e20f8813bf8ee86ebdde151b834e48eb2f40c7dbd2c5829f85d5a995a082d1ee3ed5dbc7a1ea3d1830ccd7b422e6d22a8bcd3ad6a34abf7fb144432ef128
SSDEEP

6144:wLsBN8xoIVidwra/vPrF5bQ5e9eAQIki+uC1szbhQqfP3OvPk:rBrL8AQIki+u5hJXOXk

Score

7^/10

discovery

Loads dropped DLL 1 IoCs

Processes:

9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

pid process

1676 9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1676	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

Drops file in Program Files directory 1 IoCs

Processes:

9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Marehan\Forthought.pec	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

Drops file in Windows directory 6 IoCs

Processes:

9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Trynen\Brsnoteringerne\Drpladerne\Forkyndelsers.Bis	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
File opened for modification	C:\Windows\resources\Bladed196.Est	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
File created	C:\Windows\Pignorative.lnk	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
File opened for modification	C:\Windows\Pignorative.lnk	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
File opened for modification	C:\Windows\Mandsdomineredes23\Irreturnable\Copromisor\Summetone.ini	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe
File opened for modification	C:\Windows\resources\redigeringsarbejdernes.Fas	9f24c8aa143c08e781f1af679d50fd0b354b84f7d0aeb69dbe10a902dca5e02a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\nsd8844.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/1676-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x0000000002890000-0x00000000034DA000-memory.dmp

Filesize
12.3MB

Download
memory/1676-57-0x0000000002890000-0x00000000034DA000-memory.dmp

Filesize
12.3MB

Download