93b2804de9aa165857fdc21c9c6512c5d3a2308d29441f0015d4ac700c95f25e

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b313a2cd142a85fb482afa7a0bd7834.exe
Size

325KB
MD5

6b313a2cd142a85fb482afa7a0bd7834
SHA1

8d74e31351b6efe3fdeb5a568fbb3144578ba19b
SHA256

93b2804de9aa165857fdc21c9c6512c5d3a2308d29441f0015d4ac700c95f25e
SHA512

97f226fe6379ab6936cb83ba2d3c54b8c150d3405150c3b48bba7ea6068d42910cd5ff755a093ccb1611d9027624fb5145b0654673234f8df4b57c60de037b6c
SSDEEP

3072:JYjClDhQlDvrcHxKp6ga1DdkJT2JQlmeIf8RQ1P7qSTMep9NO:JDOexI6hI2YmURoDrMep9NO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	setup.exe

Loads dropped DLL 7 IoCs

pid	Process
968	6b313a2cd142a85fb482afa7a0bd7834.exe
968	6b313a2cd142a85fb482afa7a0bd7834.exe
968	6b313a2cd142a85fb482afa7a0bd7834.exe
968	6b313a2cd142a85fb482afa7a0bd7834.exe
1696	setup.exe
1696	setup.exe
1696	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28
PID 968 wrote to memory of 1696	968	6b313a2cd142a85fb482afa7a0bd7834.exe	28

C:\Users\Admin\AppData\Local\Temp\6b313a2cd142a85fb482afa7a0bd7834.exe
"C:\Users\Admin\AppData\Local\Temp\6b313a2cd142a85fb482afa7a0bd7834.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\nsisdl.dll

Filesize
14KB

MD5
a95c7af96416b2cd084fed4c07c8c291

SHA1
0c62c2fd843ccb59784404ed36369784dc557671

SHA256
a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0

SHA512
427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\nsisdl.dll

Filesize
14KB

MD5
a95c7af96416b2cd084fed4c07c8c291

SHA1
0c62c2fd843ccb59784404ed36369784dc557671

SHA256
a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0

SHA512
427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiEA8F.tmp\setup.exe

Filesize
90KB

MD5
df1267ad2fb2e87a89609ead6810f612

SHA1
c36b8366158b48bf9169b710650291a0914ed262

SHA256
f03ba3740dd481ff4ed1cf7bc2c2edb2bbfe5bea1edfc0435bc26124d4c455e6

SHA512
4a3695349ae5bf1a045e3fd52359765781a15b0e4631f53119cfe8a04bf461e6d74e5228ea2e12e3760227e651db490d8c7a6acefef1d4bdd86c16fa4fd563a7

Download Submit
memory/968-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download