59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2023, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe
Size

616KB
MD5

4c9313e001a84d769db5ceb6f7280ece
SHA1

a3d48ee9dd99faf6107310acba7932d3002f80db
SHA256

59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e
SHA512

a82d740cd7eae1e5a5c81be5e68265a1016169cedfcd37fd6f585bc0f2931ac54854f5d4449949c29eb0ab1aaa70cacc0cf9282f9a4cb2529bd052e1bbd6a80c
SSDEEP

12288:1ol5gdRF05Ao9c+xNI8I2eopVPvTUn575Z7qZnpriSAAaMDe8Q:1ol5gdRF05Aoq+xNI8I2eoppUnThkBpa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4820	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
4820	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e25-133.dat	nsis_installer_1
behavioral2/files/0x0006000000022e25-133.dat	nsis_installer_2
behavioral2/files/0x0006000000022e25-134.dat	nsis_installer_1
behavioral2/files/0x0006000000022e25-134.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4820	4772	59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe	81
PID 4772 wrote to memory of 4820	4772	59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe	81
PID 4772 wrote to memory of 4820	4772	59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe	81

C:\Users\Admin\AppData\Local\Temp\59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe
"C:\Users\Admin\AppData\Local\Temp\59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh7343.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
616KB

MD5
4c9313e001a84d769db5ceb6f7280ece

SHA1
a3d48ee9dd99faf6107310acba7932d3002f80db

SHA256
59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e

SHA512
a82d740cd7eae1e5a5c81be5e68265a1016169cedfcd37fd6f585bc0f2931ac54854f5d4449949c29eb0ab1aaa70cacc0cf9282f9a4cb2529bd052e1bbd6a80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
616KB

MD5
4c9313e001a84d769db5ceb6f7280ece

SHA1
a3d48ee9dd99faf6107310acba7932d3002f80db

SHA256
59e77930821973ce7e4ba5dcb51c72d8fa72f8469dcfa9181d1236513d36905e

SHA512
a82d740cd7eae1e5a5c81be5e68265a1016169cedfcd37fd6f585bc0f2931ac54854f5d4449949c29eb0ab1aaa70cacc0cf9282f9a4cb2529bd052e1bbd6a80c

Download Submit