8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186

Analysis

max time kernel
126s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/03/2023, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
Size

1.1MB
MD5

f7549734c8ff0242f7ba528fcb554a64
SHA1

257f84423fecb950ecf9c64681b8207e479a0773
SHA256

8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186
SHA512

bcdd0fed46bc434e2ac45187268a737cb4b1528535c8074519340ebde393977204ebb026cf6c83ccdb09b92b95785bba59aa8f199e1b4fc08126abbb34d04020
SSDEEP

24576:WsJlBqAp6iVygapIsNEuz0YZGAmPwTZYscEM56IXg4PhSrZ89o4PhSrs:W+Bvl/FsN/z0YmPwmscEM5fXgeh59oe5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
672	taskkill.exe

Loads dropped DLL 6 IoCs

pid	Process
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
672	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
672	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
672	taskkill.exe
672	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 1232	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	27
PID 2012 wrote to memory of 672	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	28
PID 2012 wrote to memory of 672	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	28
PID 2012 wrote to memory of 672	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	28
PID 2012 wrote to memory of 672	2012	8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe	28

C:\Users\Admin\AppData\Local\Temp\8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe
"C:\Users\Admin\AppData\Local\Temp\8830accef6879346046bfa3b56802cdedc616a14358db4bc7d6f6dced3b1e186.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /u /s "C:\Windows\system32\AtlCtrlForRockeyArm.dll"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe
  C:\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe
  2⤵
  - Executes dropped EXE
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe

Filesize
200KB

MD5
f7d0bf0678f6e807c66bf9db79cee39d

SHA1
1388c7e46d02d6aec3e6215479360bc3e384a003

SHA256
13cb9ee26ba000a09c2fc632be4706cb32f36494105a77f1c421e28cd66c13fc

SHA512
accf7e4981224d5aae5a1e9f7f7a76321b6ef1b8ac26fca336da3d1c79fccc083ab5a622b53f7c55d14aad4e0c7bccf0c7e20129a0593d19bb08d9ee8d2727df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe

Filesize
200KB

MD5
f7d0bf0678f6e807c66bf9db79cee39d

SHA1
1388c7e46d02d6aec3e6215479360bc3e384a003

SHA256
13cb9ee26ba000a09c2fc632be4706cb32f36494105a77f1c421e28cd66c13fc

SHA512
accf7e4981224d5aae5a1e9f7f7a76321b6ef1b8ac26fca336da3d1c79fccc083ab5a622b53f7c55d14aad4e0c7bccf0c7e20129a0593d19bb08d9ee8d2727df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe

Filesize
200KB

MD5
f7d0bf0678f6e807c66bf9db79cee39d

SHA1
1388c7e46d02d6aec3e6215479360bc3e384a003

SHA256
13cb9ee26ba000a09c2fc632be4706cb32f36494105a77f1c421e28cd66c13fc

SHA512
accf7e4981224d5aae5a1e9f7f7a76321b6ef1b8ac26fca336da3d1c79fccc083ab5a622b53f7c55d14aad4e0c7bccf0c7e20129a0593d19bb08d9ee8d2727df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst28A8.tmp\UserInfo.dll

Filesize
4KB

MD5
87c91c0273a0b969c5fe83bc94ecff75

SHA1
7313779c8d7a016c410a37b226602db6a1eed859

SHA256
e9cb05c09851c6a1d4e4674c92fc8787de41f8c028ca2ff79a1f13ec352ee036

SHA512
f035d17f2a1053c8a326ae6c4b03d72c5a3f903ab4eed17bc128312d8357f4e149f1f759e7896fa52f310cec0850598270233683bf6103fbc0401af0325a0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst28A8.tmp\ioSpecial.ini

Filesize
728B

MD5
6a49d8b1f5073d04a5643670477969b4

SHA1
9050efbd51f269b4cef7f1a10492081447c56d51

SHA256
abad7ef6d3777d50a055db1cff4fb0cbb113f55c63ce7daeb53f43cffdb6c76c

SHA512
bf3083de879c535f2d61d99c4b4b187bc97f19413b783378c6cc39681bf95b1a461256d9480a000419f741d9208a2b4b298c420bbcd615187879bfed2edf2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe

Filesize
200KB

MD5
f7d0bf0678f6e807c66bf9db79cee39d

SHA1
1388c7e46d02d6aec3e6215479360bc3e384a003

SHA256
13cb9ee26ba000a09c2fc632be4706cb32f36494105a77f1c421e28cd66c13fc

SHA512
accf7e4981224d5aae5a1e9f7f7a76321b6ef1b8ac26fca336da3d1c79fccc083ab5a622b53f7c55d14aad4e0c7bccf0c7e20129a0593d19bb08d9ee8d2727df

Download Submit
\Users\Admin\AppData\Local\Temp\nso2974.tmp\taskkill.exe

Filesize
200KB

MD5
f7d0bf0678f6e807c66bf9db79cee39d

SHA1
1388c7e46d02d6aec3e6215479360bc3e384a003

SHA256
13cb9ee26ba000a09c2fc632be4706cb32f36494105a77f1c421e28cd66c13fc

SHA512
accf7e4981224d5aae5a1e9f7f7a76321b6ef1b8ac26fca336da3d1c79fccc083ab5a622b53f7c55d14aad4e0c7bccf0c7e20129a0593d19bb08d9ee8d2727df

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A8.tmp\InstallOptions.dll

Filesize
15KB

MD5
b95d34721ba821937a3bf42ed0a0ac0d

SHA1
b6dd2be3d259dff69e071776caa1d57cb9eb3671

SHA256
b611c08c4fff210d39804d70fbcf46c6ac7b79d9772500b00ae8e4c3f4ea74ec

SHA512
90796ca57a05c4434de54e3c4241df4afe7692892344dbdcc4027bc83f0d51d6a0e4ad1807902a440beac1a662014be8f9ce0ef54217aa950fa1fca75de9214c

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A8.tmp\System.dll

Filesize
11KB

MD5
a0299e611058b20abf4130ebc2b7055e

SHA1
eb3da7e272ca8b07c85f16badb599b3c470016c5

SHA256
33e48b9f2bae120bf194378320d36f7dc04c502f7bdfc7db021fffb3ef0d5665

SHA512
08473612ea20beb3c80859bf3545b9b302980802e4469bc4e0852e27180efaa74f4b377ab786d351c34b9fedefa136202b89dd2b3772ee9bc3363021de3e971c

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A8.tmp\UserInfo.dll

Filesize
4KB

MD5
87c91c0273a0b969c5fe83bc94ecff75

SHA1
7313779c8d7a016c410a37b226602db6a1eed859

SHA256
e9cb05c09851c6a1d4e4674c92fc8787de41f8c028ca2ff79a1f13ec352ee036

SHA512
f035d17f2a1053c8a326ae6c4b03d72c5a3f903ab4eed17bc128312d8357f4e149f1f759e7896fa52f310cec0850598270233683bf6103fbc0401af0325a0700

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A8.tmp\UserInfo.dll

Filesize
4KB

MD5
87c91c0273a0b969c5fe83bc94ecff75

SHA1
7313779c8d7a016c410a37b226602db6a1eed859

SHA256
e9cb05c09851c6a1d4e4674c92fc8787de41f8c028ca2ff79a1f13ec352ee036

SHA512
f035d17f2a1053c8a326ae6c4b03d72c5a3f903ab4eed17bc128312d8357f4e149f1f759e7896fa52f310cec0850598270233683bf6103fbc0401af0325a0700

Download Submit