aab0ed59a2176b68efd47242277ff8ad443b4cfa156cfd7b191d5421a5cbdfe6

Resubmissions

16/03/2023, 13:18

230316-qj8r7sdc4v 9

16/03/2023, 12:54

230316-p5qcbaah42 9

16/03/2023, 12:52

230316-p32ybsdb5w 9

Analysis

max time kernel
52s
max time network
63s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/03/2023, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp000065ae.exe
Size

129KB
MD5

4200d62ceb1452b26bc875e765665b29
SHA1

ed2c3f60a189770816d6deb5746f79f9ee6e19f0
SHA256

202672873906e3efaeaeba9e5bb74fe1ab0695becceab0e70644a482d127a124
SHA512

996470bbacb20501acd1ff475d96be38e34f28236e1b9699b4e74ee99fd2318336f869354195311ec4e916bff6f2c007a73fc4d28dca96a13bf1136ce43f03c8
SSDEEP

3072:4d/vyWmJe45yOZlyxPjK959lye9Pahh70tDZqvv:4Xp1OAPj29l59Par0Fk

Score

9^/10

discovery

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001aec6-362.dat	Nirsoft
behavioral1/files/0x000600000001aec6-357.dat	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
4724	BulletsPassView.exe

Loads dropped DLL 3 IoCs

pid	Process
2312	tmp000065ae.exe
2312	tmp000065ae.exe
2312	tmp000065ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.exe	tmp000065ae.exe
File created	C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.chm	tmp000065ae.exe
File created	C:\Program Files (x86)\NirSoft\BulletsPassView\readme.txt	tmp000065ae.exe
File created	C:\Program Files (x86)\NirSoft\BulletsPassView\uninst.exe	tmp000065ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4724	BulletsPassView.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4724	BulletsPassView.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4724	2312	tmp000065ae.exe	66
PID 2312 wrote to memory of 4724	2312	tmp000065ae.exe	66
PID 2312 wrote to memory of 4724	2312	tmp000065ae.exe	66

C:\Users\Admin\AppData\Local\Temp\tmp000065ae.exe
"C:\Users\Admin\AppData\Local\Temp\tmp000065ae.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.exe
  "C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.exe

Filesize
70KB

MD5
e40c9293ea0b6d62a0f62f40212df07b

SHA1
08edc669c2a5408cdbc3968fc4ac0a2f23ed69ba

SHA256
b19dfe440e515c39928b475a946656a12b1051e98e0df36c016586b34a766d5c

SHA512
6eb169f810092de15a9d54ab40ab61afc3ad37d4adb6ecb4d97a4f349e1a24ab0b62251b54db88f91cbc993d0626e34c738e054eed5a6e23cace669f9f01a975

Download Submit
C:\Program Files (x86)\NirSoft\BulletsPassView\BulletsPassView.exe

Filesize
70KB

MD5
e40c9293ea0b6d62a0f62f40212df07b

SHA1
08edc669c2a5408cdbc3968fc4ac0a2f23ed69ba

SHA256
b19dfe440e515c39928b475a946656a12b1051e98e0df36c016586b34a766d5c

SHA512
6eb169f810092de15a9d54ab40ab61afc3ad37d4adb6ecb4d97a4f349e1a24ab0b62251b54db88f91cbc993d0626e34c738e054eed5a6e23cace669f9f01a975

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\StartMenu.dll

Filesize
7KB

MD5
8262fbc2a172ff04146e7587649d7091

SHA1
628be3fede2a79d4b321b12f979711caf77e8a7e

SHA256
ac53840d019b746ab5dabaa40d7720c9a4487c861b155926454bf8b10bd0963d

SHA512
8e11f1f1811a424b1ae5ab8e064d5313adc118ee7607f6a6f9b9976647ca6c91496133d5575d4737386a1485f39cf6fd074dbfd619807f42fe148a640186f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\ioSpecial.ini

Filesize
714B

MD5
c3a1d4d5abaaebb1375999ff7b4e2cd3

SHA1
42063b062b36f7d2c9f1bf9286bdbd5e0adfabf8

SHA256
f0c9b184f90b85a6dacb5918bc70e7667208831c43ebbba4ad1cfc20499e7426

SHA512
a7015a9986b6ad3761cba1b7892ceab71dde52cfdeb8e52696f56d8ca78c7caf26dc0c9f81c90ac84b8a975dc7122cfd7416694aaff5bb563f0e7d5052972770

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\ioSpecial.ini

Filesize
896B

MD5
9f9f9f0bf8bc4dec934203a27756eb3e

SHA1
41217dac8305839244ea04acb6a15e888a21f3a2

SHA256
32a97c5d2bd13738fa787504dc03babc49d43243d4713f975d00a20fbb407604

SHA512
8c371348cee914e157a0d4773762ed189532cfe10c54193dca1d061912dcc6841efae512d97c5b10c8f4e1e1945cee5cc1a260e1b2db94ea80b8906e8ebca147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\ioSpecial.ini

Filesize
944B

MD5
61ee29723501d90a31b8d8de09571ad5

SHA1
ab7d7c0a7857f616a9c2d997663dd6033e07f470

SHA256
5bea7723535de916b056da8371fa70b47814ea67c2614c794392a6006a64b5be

SHA512
55014633cd12de19936f2c9f54ae1ed9da2cc8f4d94e6c13490ff9a404eb35365fe56c6eb70d6d71d9521f2b7cefcb95efdad6665211ce9a6dcd3d177c255c02

Download Submit
\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nsaBB0A.tmp\StartMenu.dll

Filesize
7KB

MD5
8262fbc2a172ff04146e7587649d7091

SHA1
628be3fede2a79d4b321b12f979711caf77e8a7e

SHA256
ac53840d019b746ab5dabaa40d7720c9a4487c861b155926454bf8b10bd0963d

SHA512
8e11f1f1811a424b1ae5ab8e064d5313adc118ee7607f6a6f9b9976647ca6c91496133d5575d4737386a1485f39cf6fd074dbfd619807f42fe148a640186f639

Download Submit