Analysis
-
max time kernel
90s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
13/06/2024, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Nursultan.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Nursultan.exe
Resource
win11-20240611-en
General
-
Target
Nursultan.exe
-
Size
14.4MB
-
MD5
888b6182409ced36aaea7f22268bceab
-
SHA1
b62d12c12f46c739e34241bc3590b6888c31d7f4
-
SHA256
11ccb1d864900ecb4d5c683d8e83dc6c0f55d8c89bcd7357e310598b7846d0de
-
SHA512
b6398b5a1cf3ae0b698cc7074d2a59d1415689b50f2e7751164fd22e8fd2024ea0d97590366c30c74a0539e6cc83f8fcac0b53e5f68e62d98d242646b4a9c72e
-
SSDEEP
393216:DpRpu51k22qim6QTV6hTZLPHZ3a88WAgSgH1:DpR12j/R4b5iWAgH1
Malware Config
Signatures
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3576 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 224 Nursultan.exe 224 Nursultan.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe 4596 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\GroupLimit.cmd" "1⤵PID:1260
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2001⤵PID:1432
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4596
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GroupLimit.cmd1⤵
- Opens file in notepad (likely ransom note)
PID:3576
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5d2638f160f16a1d5e17fb3ec57f081e2
SHA1bcb81c9a52d2631dbaa3fc0c0cbda1278199d1cb
SHA256df61978350226b21120e629c4f6b847df260a4dab707e2cc86b16b077886d88c
SHA512054f16b9444398ca28faa748026904f4b9be75580d36239320afd707e17127459b0842d5286ab5f990f44bd600b3032b1eb4c394c45f484071208267398f28e7
-
Filesize
672KB
MD5ce82810adb045b8151a1d63793938dc2
SHA176c33fe5ff9765b0cf0e0010272f4576d0567b24
SHA2565fe4f5509b7107a42cd9ca54557f44d1ddf81d81f4f4bae5a9e8076dfb5a420d
SHA512abc56d2fd71c89344998bc608fba48acaa86928646ed751a824f81cbaf9aba4477291e51b6f0b41f5cca17bcd4d05d33371fae4c755989e3c63d66b35c69ffd3
-
Filesize
896KB
MD5bfba32c77f875727827c042ccb553c2a
SHA1293e0c42b0488a7920f8cb27fdcfe862f44da52d
SHA256a1356e0c73b6c0770b1fc605c5f5a91d6445e65e34f92cc253dae3eeb3e31946
SHA512a31b0eb8e3100a8773f506505fab9036a4c5243eb5c5c1dc6c75494dba41065d34e5ccb7a41cd9b7e8152d15a64ee0608b0423707f27bcca4dd6a57a5fd81df0
-
Filesize
1.0MB
MD59879d557562505de8e5d60a4c914babd
SHA1d2a2c8aa0a0db18e52f65f3501110d76a5d9e99b
SHA25608a257bb3e3e4dc78c0b650d5a22770f65e2758c2aad14f31be29d48b9e21da6
SHA512ca5a4102bd0a2dde5c2804865ec820c2c29ff5196835934768da3dbbe65b406eb3d1c75845a3eaf26ae6f4d65799d191da857eaf3bc8474c0abd7012928f98c6
-
Filesize
800KB
MD52d3bed6acfa436725596855f3acf450b
SHA1ea8af33d1b01e9f3547472ebfffcce5d42ed2bd8
SHA25662886758d46d8d09ea416109c943da8ff3bf573183e762fb8c8bb767dfd9b6b4
SHA5128f4e6eef602095ed939f59c6c6e9b226bd6de6679aea8cd79159fd1825c92ebd063a582483edc7eae3b17fdbbeac520ab9a7e239284e9aeed88ef015a417ca48
-
Filesize
576KB
MD5ded4588414bb6e5d1bd9640bcaebd9f5
SHA1de1990b120396236e260e49c1afc6c38799c0520
SHA256bad21e3fb1f959a317803bc2ec4fce9d176095afedf837c2fad1ea93463f7fa6
SHA51209b473c4009f848c5d228d1d22edbf1f494a4e82ea947d5a417748a62832d6e4df0ca9e8367d04f9c201471c9c4a8d8b2576ad76a0969de1b69e67a58c167d47
-
Filesize
768KB
MD5ef31560427dd0e75789558ec451a57f9
SHA10db5ce89a6778a49675fb584d02b32332dfeda62
SHA256d4640a604b439b999efaebcafb9a6659dc836831d9423d136669b88979455fe9
SHA512deb2cd032d56a4448aab587b368e921984be5b08c65a7468b4e7b472cd44c9ac47b1f7546afb9698bb6dd0c58edc05a0a6d39bfeb1a85f1159683bc5936bd3d7
-
Filesize
1.5MB
MD58af4821b35a78239781838bb94c6ce57
SHA1b9402348a13e5c3e9aa8c45dde4e6013ceec004d
SHA25694a0bb667c934832a2ce096f6ae1b337d1233f5a59cc2199e37c900477d3f5a1
SHA512205f6248e99cca2457fec446f4d96bc58e599f7cee5f2545cf0e45e9e9d3a43c3dfd563a135f4b7b3589901d05046766510887dff0b226628ca208e6c34d1ccd
-
Filesize
416KB
MD515bd8a3a4543d6f27d58e0c0546a3986
SHA1b0e53ee77c536596d4fc13cd9e18f9b3d24da039
SHA2567574c6631d3cc291a51ad4708ffb7d5780161f6307ca5a2f7fd85ebbf378cf9f
SHA5127d2e3c2dd160090204dbb4c79418661bf2809e5574fcd63a4297edbe10d2435f1cb867a7e02fe89ce3336bd7c88ecd37317d0e94a931fba4c95856eb003fa6fe
-
Filesize
928KB
MD5ebdf040af8374f0d3cfcec4136c673d5
SHA1f87ad5bf77141090fe5bbc3be44eba29160c7b1a
SHA25637d65a8706503f93deae91f0e351d5d0d768022e6f6100f1fed77623f6f53b76
SHA51242faaf4e7f07c32915771597e293ef851ca364b2cfc26dcf8a018a4c062868ecd1205661d3d60efd41b6f2cfab895bfe3ecc90de1041764a75a0dd44ac62c87c
-
Filesize
992KB
MD56b2118b3b7edcd5c68db42f7185f7359
SHA193e9f3e2531a74ab17992f56aba994012fc3fd1e
SHA256c721aa1a5b04dcd49b9d962f75be3fe3710e175bdf9b03a24013ce755a13cb4c
SHA512b80c99d96ddc7448509519540d0e1a440a45bd16976d895aed4c3ac1b03644e5762284dfed773c597afe525a0732e0b88603f27592650ae4b40f29f501ac8c67
-
Filesize
832KB
MD508fa966ae1b7fc5a37fa89f74f01e0d3
SHA1b8d675108ec3c0371a43fa5c112c12269508d7ea
SHA25682fd02ce429de54c07519c6a3e4e2bb122d2dd70e66208199eca0ab9bb321fa6
SHA51290040465164bc28c936e9713afb71eaa9909f2ab763786c95bd637b2ca7fee00cd11e8fcddc9e33628a7bf7c3af3addf1a7d661f42d4bc366ba43645c2b91c7e
-
Filesize
512KB
MD5efc323054c6c929ec93326420d50a4be
SHA193397598c14f6309fc74fcab8a2bc551968b178d
SHA256298be364595ad18bd6f922bf5ba27f071899456114dc364bc0f5362e673ed059
SHA512f013aa6b039c2b1e81bc4551cb5222de51f1211618cd7800c4075e0c6479294f65d5c7be683fecdb34e292d16e31d105a3ce053469259b72204c94a894b3db31
-
Filesize
448KB
MD537196afca771be4130e9aa103849c6df
SHA1a82ce13c02945141ffcad7834a836aeb0373140b
SHA2565fb8e2d13bc943f6d8a16ff193203f16c1d1fffedc793596e865e832889bf843
SHA512f7e40708a02c34590ae6d7f315769d3f91815642fe4796df0d14ec1b165eab27d524b562557240dfcc34d372c5f5e14d6a405d3c08022536781e782d749f8887
-
Filesize
608KB
MD5877e97023848799817305ab2c14bd560
SHA1f41a42983039701dbe2591fc00904b6a3e841070
SHA2568a3558b68b29809a96d5ffe7c15a63203029ef6a02c7a22292f764e88373964f
SHA5120b7199da3167cc9c719b5b893e436418eab930c80a2f2bdb7a679d1333bf41a2d36264106e5cca0013ee1426bb7babc8a017c9738c4f8ead00541eaf648af813
-
Filesize
704KB
MD5866d01fb315878f034a020627d9eba4b
SHA1e55e739a041ccebf49506fedba6d06ea036e5a3a
SHA2568327041bc76aac60837ebb26e839b33a2a7eb030b1251d0a63cd63601b29a851
SHA51261c96d5d54945cecb3fba0dbe61024f7c521a4a78d24366b7bc7e016c6566d4d6d8fdbc851df653147b5b2e8833fdd64fd815aace0dc6cbee97802cc01d36025
-
Filesize
1.1MB
MD57031c6579399636e71643ce722b756dc
SHA1a8870a71f3f1accf2239b43d5cfadec66eb2f1df
SHA25642e5cc8e79ffe04337d29b264709ee6975315d2127dc5d906f9c21daa768c05f
SHA512e586370e9050665fd56acad69e99fe564b27b7cd2d9cbd9fccb878cf49b457af66076d79bf78a8aa4f4e8fae1be4860d12bb40e512f615bd7ed56ddfd13d2e41
-
Filesize
864KB
MD5c177c187bcef9c9a2ce758beb8ff23a7
SHA18d33f8f774cac7647cf3b563d9dafa5afa22d7f7
SHA2561ca1a22d424f83b31921d28fbb8a4caa9f2f176d7a9069eaf8012474e15ac637
SHA512dd23634a364d9da1e18675675d1e9aee8c22670ec3a56218ca29c16f739194c0ee5c71502565dfd371fc4b673f8e7529b965d7aa1b0a8c4be5199dba7bf4dfc0
-
Filesize
640KB
MD58fbe708afcf9632b695bd4c822a912fc
SHA1cb6c1d5648dbdbd0fb278a5682ea919bfccba196
SHA2560f820cb751e321f2143e3f53211dffd5af7373571dd4a4281fcf7f487d7e61d1
SHA512f59160f18978910dff469031ebf8a503dfd636662062db545bf3dfa8dbca41dfa6f37254fec378802e5d2c66f95c2a1d825c5246b719a1b6745e4b9d184016a3
-
Filesize
480KB
MD5831b4f8d7709ce27844f4cc20d938972
SHA10026209b6b7ab04a1d1d78e65616f13cc781df0b
SHA256935294fdfc625775cf960bcd784e2d3e3a8c2e3bf92e9736f44f9c282f15bf04
SHA5127a85b999335d1f1626d3b67cdbc3bb918562734f6a7d16654fae103c96eb80d64b33047db71c71fab07fe90af84169dcdb5c1cce927ef7b46c5cf15ebc1ff9ee
-
Filesize
960KB
MD5523c07314a67fe7268fe4e2573a3333e
SHA1b0f99dc07d22dc9029a0fc318aeb40f0840d1fee
SHA256cf4fb3747fd46287fe79aaadb93ae7370b0ae2daf760265f2f51a98d8b32ae27
SHA5125c31ca22795b82107cee0979d8737ea6407cdf2221897b50b6c94d995864dc69cfb9c2bfbfebffedbd3c79b744db966754b9357f3a5bd369323e32cca8bbc6b3
-
Filesize
544KB
MD576e41ea17de6a113f5fc361b5d1b1519
SHA1ba78f9632ba73fad0431336ea5479a5cf6a359ca
SHA256d465336da69c9ea6ba840c86f46418850dcd7e61059cf555dddb98f69a665f2f
SHA51214a4c5668f8e921ea0a115fa46f17bba2b19b366265640520f516da1b96e028e8927489a8009508f3de84d1fbe08c9dff17abd4b2e6e77c585bb938d61d9b740
-
Filesize
1024KB
MD55f107070a2bbac68328c42da5be746a7
SHA10e133b3c86fc24e3eef243f454b8563a73edc6b7
SHA256bd877d2ddc46171867b446949493db52a82e3d1117ea0a78f8157453a91e56ba
SHA51257e3803e7142684aef5adc4cf3f3f877eeee34755387776a2938428f5868eb5e3535a6fbf0466b7c8f4e5427f1139fd084644af66d0cc6a06005a96a63408e43
-
Filesize
736KB
MD56e0cc0f9080f30b07e163de6832f50dc
SHA13b66cf1a79f7d14bad9346d9b7b06474b554fcc5
SHA2564b37d3d0c8d299792e9c0461bdab0982dce45fc6f837142dcd0f4f2bc502adb6
SHA5126e6061dc2bc614673e7353be1b4c99d91c98b4af71f8d04a49734200af3e74ba647916fb6ce77cea796e3e83a85d3e87888ca7c4686f775118010530f4ec102f
-
Filesize
2KB
MD5204b4c82c8e1d2cac6edaa042c5dc07e
SHA18ebd5d10db1f290c04e18b8761298f47ef4bec32
SHA25695bc090a2401c8c8f7dbfd0aa9f7c7db357023c6f88cff51bd2b0c22303ec26b
SHA51242fa91abd64d2bfcacf8c0e3b6a3bd662c93d565dbe1671a6f27dae1b27370bb02c0ad8b0001196b7efa8eccfb493c8b613bcd17a4bc3f3634ff1f619a190715
-
Filesize
1000B
MD5ba2a700143c6cabe7274d784799d5042
SHA188c8f8b098a602adc871049d379d167288fc8362
SHA2560ab7cf4ff922198e78813d1337539cd181a36bb24a7bf6faeae184c96eae232e
SHA512e5423ca1581ec32411c0649918c9f9b6f4eb06375f5a169db989a9579d23cc36bf17ee988c50b5e168941a3bcb58a3a41344f7f7a6321cce921c9bbcec362990
-
Filesize
2KB
MD5d3104415fc7670714693ec26af0bb5d1
SHA1981d9234ad3a213dcd9b75b6ffefb41ff774053d
SHA256b4be9e061a89ff4791059d7b0d5b9fea4a3339ddabc413ec462e619ca34099e5
SHA512c80b6e8feb6b1a8208683f617cd3781f044145619cb6111afefff3725cc95a2d77762a4d2f4f9dde6c3aa12c9a416ff8f6a4c039e9536c25f083fda47093bf56
-
Filesize
923B
MD5b688114bd3452d41942d9d8998c39da2
SHA16f1f6b087b02a0e1f25712765dcad66500f23cbe
SHA256e8bb66b7329ea153cf59e262ff2ed943e54331e0de4c5ed08a92190823bfa95a
SHA512d0f5ac6178962b7fdba01ad2d8f5cb126ad6f18f2c1230f213d6af9f2c36beddfc71bac80ed306369df65b524bcb80bb4bb4011c8029824badbc9feee34b7417