Analysis
-
max time kernel
296s -
max time network
350s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
10-02-2023 17:50
Static task
static1
Behavioral task
behavioral1
Sample
Windows 10 Rounded.exe
Resource
win10-20220901-es
Behavioral task
behavioral2
Sample
Windows 10 Rounded.exe
Resource
win10v2004-20221111-es
General
-
Target
Windows 10 Rounded.exe
-
Size
2.4MB
-
MD5
11ff322997d98d02afe198c20b613ff3
-
SHA1
48e70395f187454bddc01484a6cbcf1c5f1753fc
-
SHA256
9482be3fcb23242751dfc68c1f239c92de3999618ca2d3ae0d7c9f5f596876f4
-
SHA512
11cc64b00f741b44c73c835e6da3c103d4a690e1c6c009cd020967e870967f31bd2ad8851f4e0d2a2c6e964558665e84d33839f82db2e178053d7ffb5b191ee4
-
SSDEEP
49152:DXNPtf+dAGSXAZGxgF3Nr13EfePGBT5OHTdg5K6EnCN11Y:DPxD5g1p9keGLc+SH
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsc1918.tmp\Aero.dll acprotect -
Loads dropped DLL 3 IoCs
Processes:
Windows 10 Rounded.exepid process 3496 Windows 10 Rounded.exe 3496 Windows 10 Rounded.exe 3496 Windows 10 Rounded.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nsc1918.tmp\Aero.dll upx behavioral2/memory/3496-135-0x0000000074DE0000-0x0000000074DEA000-memory.dmp upx behavioral2/memory/3496-136-0x0000000074DE0000-0x0000000074DEA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsc1918.tmp\Aero.dllFilesize
6KB
MD5243bf44688b131c3171f2827a93e39dc
SHA107e9c7bd16ae47953e42c06ae2606de188386f35
SHA25604a577df50431eb0ff6fb103566402bf66c50415bcc1f8a86b9c235053131455
SHA512a1a8c21d38c54a43d1c6c394f481dfbddcb359c617e9928ecca8f84d47354616a78d20735a1fe7bebd21626c21cf96d0e1a69e3e98f6b35f2a774cc0244f9516
-
C:\Users\Admin\AppData\Local\Temp\nsc1918.tmp\advsplash.dllFilesize
5KB
MD5176ec6dc75972ce900793396723ed374
SHA1551f8cab48da2b2770442d10e3e18edc44760357
SHA256f568ebb5792b5054cd871cbe128e6f409b097e79be7366d409189e0a1c1f9f83
SHA5128ea30e09fc1db2616b4946b65a0136afce96991764693725f956a5aa1cfc871595ea2101cfbd3b3280aba803a1dd8199ba7245b5925ecb0c00e641eca1d64b5f
-
C:\Users\Admin\AppData\Local\Temp\nsc1918.tmp\nsDialogs.dllFilesize
9KB
MD51c8b2b40c642e8b5a5b3ff102796fb37
SHA13245f55afac50f775eb53fd6d14abb7fe523393d
SHA2568780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA5124ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57
-
memory/3496-135-0x0000000074DE0000-0x0000000074DEA000-memory.dmpFilesize
40KB
-
memory/3496-136-0x0000000074DE0000-0x0000000074DEA000-memory.dmpFilesize
40KB