e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 02:28

Target

SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe
Size

253KB
MD5

6a9aea17605d53206fe8582c19fb0333
SHA1

0c4548489461a76bae0161ed4612b5546b4141fa
SHA256

e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14
SHA512

603c1aefa5f03741d6f671c456df17852182e14405512ffa959ffe9a6f400bf95aea70ae13d68d367d97892753e10985d8217824c3b874769c9d5a0534131d37
SSDEEP

6144:/Ya6pFEAozjQi8b9oYrAymV/TN5gObUx9OCvPq:/YrFEXfOj0d/B5g5lvPq

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 3244	4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3244	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe
3244	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3244	4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe	86
PID 4808 wrote to memory of 3244	4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe	86
PID 4808 wrote to memory of 3244	4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe	86
PID 4808 wrote to memory of 3244	4808	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe	86

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nskBAAC.tmp\cgajbf.dll

Filesize
22KB

MD5
6dae04bbc70af890959232841e5bddc9

SHA1
62250b05d50d3c573f16aa0411ae5293bd03ffa0

SHA256
3095df5dccbf2e5b7f794ec7a4616976988316d0dd11840f0a31998df82ed3af

SHA512
6d35fc45827b6164ba7e61496ce241cd209a2b914373d049cc72e427dca33ff7d74ccce90b934899447e7a1e361a92640a21977964e038c9116a8e9d4564fc77

Download Submit
memory/3244-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-143-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download