32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/03/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe
Size

1.7MB
MD5

ea3aaf490737afb4555c38b951eec692
SHA1

c63d77cd0c36b05c35e960164d22a6585a4ba04b
SHA256

32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888
SHA512

83ca636b28c15285e2f58e15e7eaf85528b07b6df7368718f1a81aa8510a88f68e0ab7135758b15438ed3743f77d330c76047b48952e1d648d160120287cbfb0
SSDEEP

49152:QTmeOXEFfDf6EQgY/2qE7rR0V28MozToY:SmxXQfDyMY/2qzY8BzX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	Un_A.exe

Loads dropped DLL 6 IoCs

pid	Process
1220	32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe
2020	Un_A.exe
2020	Un_A.exe
2020	Un_A.exe
2020	Un_A.exe
2020	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	Un_A.exe
2020	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2020	1220	32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe	28
PID 1220 wrote to memory of 2020	1220	32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe	28
PID 1220 wrote to memory of 2020	1220	32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe	28
PID 1220 wrote to memory of 2020	1220	32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe	28

C:\Users\Admin\AppData\Local\Temp\32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe
"C:\Users\Admin\AppData\Local\Temp\32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiC61.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC61.tmp\nsisdui.dll

Filesize
633KB

MD5
c11e1869bdfbe9054d363df118ecd0ef

SHA1
a3e62af8efcd84149bfa29824ab640aa9b558a0e

SHA256
1c9ccc6d06e4198b97a349fd715a71b3b76829cdca7eea5f912aef8a0a6506c4

SHA512
8d45f09469fdd33f2736b72f6aeb37e53c6e14a4052fc62847b3a6f94cf93435763b11d9396ec51a1a6d61e741b5549bf7e1b971b6c475ab0948c0ba4a6d70ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
ea3aaf490737afb4555c38b951eec692

SHA1
c63d77cd0c36b05c35e960164d22a6585a4ba04b

SHA256
32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888

SHA512
83ca636b28c15285e2f58e15e7eaf85528b07b6df7368718f1a81aa8510a88f68e0ab7135758b15438ed3743f77d330c76047b48952e1d648d160120287cbfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
ea3aaf490737afb4555c38b951eec692

SHA1
c63d77cd0c36b05c35e960164d22a6585a4ba04b

SHA256
32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888

SHA512
83ca636b28c15285e2f58e15e7eaf85528b07b6df7368718f1a81aa8510a88f68e0ab7135758b15438ed3743f77d330c76047b48952e1d648d160120287cbfb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC61.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC61.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC61.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca5bb0ee2b698869c41c087c9854487c

SHA1
4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

SHA256
c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

SHA512
363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC61.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC61.tmp\nsisdui.dll

Filesize
633KB

MD5
c11e1869bdfbe9054d363df118ecd0ef

SHA1
a3e62af8efcd84149bfa29824ab640aa9b558a0e

SHA256
1c9ccc6d06e4198b97a349fd715a71b3b76829cdca7eea5f912aef8a0a6506c4

SHA512
8d45f09469fdd33f2736b72f6aeb37e53c6e14a4052fc62847b3a6f94cf93435763b11d9396ec51a1a6d61e741b5549bf7e1b971b6c475ab0948c0ba4a6d70ef

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
1.7MB

MD5
ea3aaf490737afb4555c38b951eec692

SHA1
c63d77cd0c36b05c35e960164d22a6585a4ba04b

SHA256
32306d037cc4c78c2beaa6242f27e78c92f3e73fc47b9c8909421d76c22b4888

SHA512
83ca636b28c15285e2f58e15e7eaf85528b07b6df7368718f1a81aa8510a88f68e0ab7135758b15438ed3743f77d330c76047b48952e1d648d160120287cbfb0

Download Submit