d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d

General

Target

d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe
Size

1.7MB
MD5

c00ebf90184afe90d8ae930ec1b06ece
SHA1

8561f542436664c97669cbf672095e2aa626ccf6
SHA256

d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d
SHA512

ad05a50552ae40c57b1ae831d854a8aea3e7be6e1d89f34cf8e4c42a1ce72b9aa80605c602ed26ae00c0d6e82b75fd6175a54cad20edaa02dc28932880d73e07
SSDEEP

24576:iTmeZduEFfMrKf6EQg4qqfbT2T+wrTjSiY2frN/JkRVXmPjgMo3TEZ4TqIMNpyr:iTmemEFfDf6EQgY/2qE7rR0V28MozTo4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
936	Un_A.exe

Loads dropped DLL 6 IoCs

pid	Process
1724	d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe
936	Un_A.exe
936	Un_A.exe
936	Un_A.exe
936	Un_A.exe
936	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
936	Un_A.exe
936	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 936	1724	d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe	28
PID 1724 wrote to memory of 936	1724	d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe	28
PID 1724 wrote to memory of 936	1724	d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe	28
PID 1724 wrote to memory of 936	1724	d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe	28

C:\Users\Admin\AppData\Local\Temp\d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe
"C:\Users\Admin\AppData\Local\Temp\d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
c00ebf90184afe90d8ae930ec1b06ece

SHA1
8561f542436664c97669cbf672095e2aa626ccf6

SHA256
d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d

SHA512
ad05a50552ae40c57b1ae831d854a8aea3e7be6e1d89f34cf8e4c42a1ce72b9aa80605c602ed26ae00c0d6e82b75fd6175a54cad20edaa02dc28932880d73e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
c00ebf90184afe90d8ae930ec1b06ece

SHA1
8561f542436664c97669cbf672095e2aa626ccf6

SHA256
d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d

SHA512
ad05a50552ae40c57b1ae831d854a8aea3e7be6e1d89f34cf8e4c42a1ce72b9aa80605c602ed26ae00c0d6e82b75fd6175a54cad20edaa02dc28932880d73e07

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BE.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BE.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BE.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca5bb0ee2b698869c41c087c9854487c

SHA1
4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

SHA256
c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

SHA512
363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BE.tmp\nsisdui.dll

Filesize
633KB

MD5
c11e1869bdfbe9054d363df118ecd0ef

SHA1
a3e62af8efcd84149bfa29824ab640aa9b558a0e

SHA256
1c9ccc6d06e4198b97a349fd715a71b3b76829cdca7eea5f912aef8a0a6506c4

SHA512
8d45f09469fdd33f2736b72f6aeb37e53c6e14a4052fc62847b3a6f94cf93435763b11d9396ec51a1a6d61e741b5549bf7e1b971b6c475ab0948c0ba4a6d70ef

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
c00ebf90184afe90d8ae930ec1b06ece

SHA1
8561f542436664c97669cbf672095e2aa626ccf6

SHA256
d813fb4b0dedaaa7ba63198449c0c59b984f725a0ecc01f925162b04b98bac8d

SHA512
ad05a50552ae40c57b1ae831d854a8aea3e7be6e1d89f34cf8e4c42a1ce72b9aa80605c602ed26ae00c0d6e82b75fd6175a54cad20edaa02dc28932880d73e07

Download Submit
memory/1724-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing