2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a

Analysis

max time kernel
87s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
Size

29.0MB
MD5

a6f796b3e8208c252321379e982e5a93
SHA1

5c70f51021ecf050325b69e688fe4432eceb140f
SHA256

2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a
SHA512

66cff9ca51d6a456ceed8af8502075498e05442be18b8feed8ef35df132c1244d71869acb71176a85eb6e93ca4caaae67bf86b2a1acfb44e55ca2e11be0e70cd
SSDEEP

786432:vT+Nnthlxwqc4lJ+Q2Ed+O7wsNSyd6ZeWeUeEL2b1lL:vTwnZp2kws4x9eUeELcR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe

Loads dropped DLL 3 IoCs

pid	Process
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 540	1540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe	87
PID 1540 wrote to memory of 540	1540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe	87
PID 1540 wrote to memory of 540	1540	2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe	87

C:\Users\Admin\AppData\Local\Temp\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
"C:\Users\Admin\AppData\Local\Temp\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\temp1\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe
  "C:\Users\Admin\AppData\Local\Temp\temp1\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe" /CUSTOMPARAM=C:\Users\Admin\AppData\Local\Temp\temp1\x-zune-video-converter6.exe_CUSTOMEDATA
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb8B4F.tmp\InstallOptions.dll

Filesize
15KB

MD5
1d8ade5c04339687340b9b4cb6b7854e

SHA1
f43e24e8615402161fdac02f9fb396808cc42afa

SHA256
83bf9c630141db8531d1c83bc783a79965f0e3438c84ab98f464fff2441c6f71

SHA512
121e7be13e120b1a1e958c6fb530cc642f8585190e0c9d44982d3337980c41742e1e455636005f01c7461ba365789d8bf9247643ab72620011ff31e684d8ef32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8B4F.tmp\LangDLL.dll

Filesize
4KB

MD5
12a4553bfb677393b102e5784a56cc39

SHA1
e16d55cffc5e2a5e891f3c5159fef5f2676dc639

SHA256
7309efa056b8958d5de7ebb4a96c00a92d3cf932a83beec721243f1649bbb3d5

SHA512
42a71229111a377f128e7d69dcddcf4a82f940c3e837519f6fede029596b8964ea27a3e52b8aa4f115182046ebdda227d8d2e9b11fc9a63c0e655325fad3e75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8B4F.tmp\Processes.dll

Filesize
35KB

MD5
53c49f56c890b3fc52318a0342008813

SHA1
45ad45f8c3ce765a96f8228f7038feb7db114c23

SHA256
48e2706c457b9d91fd36d07e20c6130864a16763b33f78c8dd8282c85b7eb3af

SHA512
7eb4c146ce9ccba47d489d8221ecba8a8a37681a27c22228aa52f56116cb3d4f726cb0c85c2448a7ef300f02abf12d1e03ca0f3b827958492983c9cd69e8c9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb8B4F.tmp\installmode.ini

Filesize
588B

MD5
e5cfd606a72a3348528b90433c3cd054

SHA1
f4bead3a54b49f12c7b72ddaf57d69da152ee4a9

SHA256
b665d493ede41cfeb87d7acb3517c291a6a16f004389ba11b53b5b375d9029eb

SHA512
088f67b9552a2ecc4d9612e81a3c18dd9ecf186cb93cb7c39b651af098e3f4e5e6ba4db9dc8d4dac798a5683e58d2ea57cb8a90ba305cd2b74641e0ebc3a33c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp1\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe

Filesize
28.9MB

MD5
31e972b26125738c4753191fe3f94214

SHA1
f9fa5b9b5d5d443bae826930e51c02e003063780

SHA256
61167705016e48338df1855279c2f106f023c22e195cc83cf83ce665b343e022

SHA512
766f46043caf186e120fd430c2f48bf873e18674834ef048da1086ecdcdb0ac18996216993eb182f2e6e90355c55b4ff0dcc2494b7b021ab1297c0d18c33bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp1\2590079529159957397451eda9ff5457fd06f26cf13d58304a67a60fcede475a.exe

Filesize
28.9MB

MD5
31e972b26125738c4753191fe3f94214

SHA1
f9fa5b9b5d5d443bae826930e51c02e003063780

SHA256
61167705016e48338df1855279c2f106f023c22e195cc83cf83ce665b343e022

SHA512
766f46043caf186e120fd430c2f48bf873e18674834ef048da1086ecdcdb0ac18996216993eb182f2e6e90355c55b4ff0dcc2494b7b021ab1297c0d18c33bab3

Download Submit