Analysis

  • max time kernel
    90s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/06/2024, 04:12

General

  • Target

    Nursultan.exe

  • Size

    14.4MB

  • MD5

    888b6182409ced36aaea7f22268bceab

  • SHA1

    b62d12c12f46c739e34241bc3590b6888c31d7f4

  • SHA256

    11ccb1d864900ecb4d5c683d8e83dc6c0f55d8c89bcd7357e310598b7846d0de

  • SHA512

    b6398b5a1cf3ae0b698cc7074d2a59d1415689b50f2e7751164fd22e8fd2024ea0d97590366c30c74a0539e6cc83f8fcac0b53e5f68e62d98d242646b4a9c72e

  • SSDEEP

    393216:DpRpu51k22qim6QTV6hTZLPHZ3a88WAgSgH1:DpR12j/R4b5iWAgH1

Score
1/10

Malware Config

Signatures

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:224
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\GroupLimit.cmd" "
    1⤵
      PID:1260
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x200
      1⤵
        PID:1432
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4596
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GroupLimit.cmd
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:3576

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\ApprovePing.tif

        Filesize

        384KB

        MD5

        d2638f160f16a1d5e17fb3ec57f081e2

        SHA1

        bcb81c9a52d2631dbaa3fc0c0cbda1278199d1cb

        SHA256

        df61978350226b21120e629c4f6b847df260a4dab707e2cc86b16b077886d88c

        SHA512

        054f16b9444398ca28faa748026904f4b9be75580d36239320afd707e17127459b0842d5286ab5f990f44bd600b3032b1eb4c394c45f484071208267398f28e7

      • C:\Users\Admin\Desktop\AssertRestart.wvx

        Filesize

        672KB

        MD5

        ce82810adb045b8151a1d63793938dc2

        SHA1

        76c33fe5ff9765b0cf0e0010272f4576d0567b24

        SHA256

        5fe4f5509b7107a42cd9ca54557f44d1ddf81d81f4f4bae5a9e8076dfb5a420d

        SHA512

        abc56d2fd71c89344998bc608fba48acaa86928646ed751a824f81cbaf9aba4477291e51b6f0b41f5cca17bcd4d05d33371fae4c755989e3c63d66b35c69ffd3

      • C:\Users\Admin\Desktop\ConnectAdd.htm

        Filesize

        896KB

        MD5

        bfba32c77f875727827c042ccb553c2a

        SHA1

        293e0c42b0488a7920f8cb27fdcfe862f44da52d

        SHA256

        a1356e0c73b6c0770b1fc605c5f5a91d6445e65e34f92cc253dae3eeb3e31946

        SHA512

        a31b0eb8e3100a8773f506505fab9036a4c5243eb5c5c1dc6c75494dba41065d34e5ccb7a41cd9b7e8152d15a64ee0608b0423707f27bcca4dd6a57a5fd81df0

      • C:\Users\Admin\Desktop\ConvertStart.mpa

        Filesize

        1.0MB

        MD5

        9879d557562505de8e5d60a4c914babd

        SHA1

        d2a2c8aa0a0db18e52f65f3501110d76a5d9e99b

        SHA256

        08a257bb3e3e4dc78c0b650d5a22770f65e2758c2aad14f31be29d48b9e21da6

        SHA512

        ca5a4102bd0a2dde5c2804865ec820c2c29ff5196835934768da3dbbe65b406eb3d1c75845a3eaf26ae6f4d65799d191da857eaf3bc8474c0abd7012928f98c6

      • C:\Users\Admin\Desktop\EditFormat.pub

        Filesize

        800KB

        MD5

        2d3bed6acfa436725596855f3acf450b

        SHA1

        ea8af33d1b01e9f3547472ebfffcce5d42ed2bd8

        SHA256

        62886758d46d8d09ea416109c943da8ff3bf573183e762fb8c8bb767dfd9b6b4

        SHA512

        8f4e6eef602095ed939f59c6c6e9b226bd6de6679aea8cd79159fd1825c92ebd063a582483edc7eae3b17fdbbeac520ab9a7e239284e9aeed88ef015a417ca48

      • C:\Users\Admin\Desktop\ExportNew.search-ms

        Filesize

        576KB

        MD5

        ded4588414bb6e5d1bd9640bcaebd9f5

        SHA1

        de1990b120396236e260e49c1afc6c38799c0520

        SHA256

        bad21e3fb1f959a317803bc2ec4fce9d176095afedf837c2fad1ea93463f7fa6

        SHA512

        09b473c4009f848c5d228d1d22edbf1f494a4e82ea947d5a417748a62832d6e4df0ca9e8367d04f9c201471c9c4a8d8b2576ad76a0969de1b69e67a58c167d47

      • C:\Users\Admin\Desktop\GrantBlock.lnk

        Filesize

        768KB

        MD5

        ef31560427dd0e75789558ec451a57f9

        SHA1

        0db5ce89a6778a49675fb584d02b32332dfeda62

        SHA256

        d4640a604b439b999efaebcafb9a6659dc836831d9423d136669b88979455fe9

        SHA512

        deb2cd032d56a4448aab587b368e921984be5b08c65a7468b4e7b472cd44c9ac47b1f7546afb9698bb6dd0c58edc05a0a6d39bfeb1a85f1159683bc5936bd3d7

      • C:\Users\Admin\Desktop\GroupLimit.cmd

        Filesize

        1.5MB

        MD5

        8af4821b35a78239781838bb94c6ce57

        SHA1

        b9402348a13e5c3e9aa8c45dde4e6013ceec004d

        SHA256

        94a0bb667c934832a2ce096f6ae1b337d1233f5a59cc2199e37c900477d3f5a1

        SHA512

        205f6248e99cca2457fec446f4d96bc58e599f7cee5f2545cf0e45e9e9d3a43c3dfd563a135f4b7b3589901d05046766510887dff0b226628ca208e6c34d1ccd

      • C:\Users\Admin\Desktop\ImportUpdate.ppsx

        Filesize

        416KB

        MD5

        15bd8a3a4543d6f27d58e0c0546a3986

        SHA1

        b0e53ee77c536596d4fc13cd9e18f9b3d24da039

        SHA256

        7574c6631d3cc291a51ad4708ffb7d5780161f6307ca5a2f7fd85ebbf378cf9f

        SHA512

        7d2e3c2dd160090204dbb4c79418661bf2809e5574fcd63a4297edbe10d2435f1cb867a7e02fe89ce3336bd7c88ecd37317d0e94a931fba4c95856eb003fa6fe

      • C:\Users\Admin\Desktop\OpenClose.M2V

        Filesize

        928KB

        MD5

        ebdf040af8374f0d3cfcec4136c673d5

        SHA1

        f87ad5bf77141090fe5bbc3be44eba29160c7b1a

        SHA256

        37d65a8706503f93deae91f0e351d5d0d768022e6f6100f1fed77623f6f53b76

        SHA512

        42faaf4e7f07c32915771597e293ef851ca364b2cfc26dcf8a018a4c062868ecd1205661d3d60efd41b6f2cfab895bfe3ecc90de1041764a75a0dd44ac62c87c

      • C:\Users\Admin\Desktop\PingTest.midi

        Filesize

        992KB

        MD5

        6b2118b3b7edcd5c68db42f7185f7359

        SHA1

        93e9f3e2531a74ab17992f56aba994012fc3fd1e

        SHA256

        c721aa1a5b04dcd49b9d962f75be3fe3710e175bdf9b03a24013ce755a13cb4c

        SHA512

        b80c99d96ddc7448509519540d0e1a440a45bd16976d895aed4c3ac1b03644e5762284dfed773c597afe525a0732e0b88603f27592650ae4b40f29f501ac8c67

      • C:\Users\Admin\Desktop\PopSwitch.7z

        Filesize

        832KB

        MD5

        08fa966ae1b7fc5a37fa89f74f01e0d3

        SHA1

        b8d675108ec3c0371a43fa5c112c12269508d7ea

        SHA256

        82fd02ce429de54c07519c6a3e4e2bb122d2dd70e66208199eca0ab9bb321fa6

        SHA512

        90040465164bc28c936e9713afb71eaa9909f2ab763786c95bd637b2ca7fee00cd11e8fcddc9e33628a7bf7c3af3addf1a7d661f42d4bc366ba43645c2b91c7e

      • C:\Users\Admin\Desktop\ReceivePublish.3gp2

        Filesize

        512KB

        MD5

        efc323054c6c929ec93326420d50a4be

        SHA1

        93397598c14f6309fc74fcab8a2bc551968b178d

        SHA256

        298be364595ad18bd6f922bf5ba27f071899456114dc364bc0f5362e673ed059

        SHA512

        f013aa6b039c2b1e81bc4551cb5222de51f1211618cd7800c4075e0c6479294f65d5c7be683fecdb34e292d16e31d105a3ce053469259b72204c94a894b3db31

      • C:\Users\Admin\Desktop\RequestSync.mpa

        Filesize

        448KB

        MD5

        37196afca771be4130e9aa103849c6df

        SHA1

        a82ce13c02945141ffcad7834a836aeb0373140b

        SHA256

        5fb8e2d13bc943f6d8a16ff193203f16c1d1fffedc793596e865e832889bf843

        SHA512

        f7e40708a02c34590ae6d7f315769d3f91815642fe4796df0d14ec1b165eab27d524b562557240dfcc34d372c5f5e14d6a405d3c08022536781e782d749f8887

      • C:\Users\Admin\Desktop\ResizeFind.xsl

        Filesize

        608KB

        MD5

        877e97023848799817305ab2c14bd560

        SHA1

        f41a42983039701dbe2591fc00904b6a3e841070

        SHA256

        8a3558b68b29809a96d5ffe7c15a63203029ef6a02c7a22292f764e88373964f

        SHA512

        0b7199da3167cc9c719b5b893e436418eab930c80a2f2bdb7a679d1333bf41a2d36264106e5cca0013ee1426bb7babc8a017c9738c4f8ead00541eaf648af813

      • C:\Users\Admin\Desktop\RestoreDismount.ico

        Filesize

        704KB

        MD5

        866d01fb315878f034a020627d9eba4b

        SHA1

        e55e739a041ccebf49506fedba6d06ea036e5a3a

        SHA256

        8327041bc76aac60837ebb26e839b33a2a7eb030b1251d0a63cd63601b29a851

        SHA512

        61c96d5d54945cecb3fba0dbe61024f7c521a4a78d24366b7bc7e016c6566d4d6d8fdbc851df653147b5b2e8833fdd64fd815aace0dc6cbee97802cc01d36025

      • C:\Users\Admin\Desktop\ResumeSelect.xltm

        Filesize

        1.1MB

        MD5

        7031c6579399636e71643ce722b756dc

        SHA1

        a8870a71f3f1accf2239b43d5cfadec66eb2f1df

        SHA256

        42e5cc8e79ffe04337d29b264709ee6975315d2127dc5d906f9c21daa768c05f

        SHA512

        e586370e9050665fd56acad69e99fe564b27b7cd2d9cbd9fccb878cf49b457af66076d79bf78a8aa4f4e8fae1be4860d12bb40e512f615bd7ed56ddfd13d2e41

      • C:\Users\Admin\Desktop\StopSave.xltx

        Filesize

        864KB

        MD5

        c177c187bcef9c9a2ce758beb8ff23a7

        SHA1

        8d33f8f774cac7647cf3b563d9dafa5afa22d7f7

        SHA256

        1ca1a22d424f83b31921d28fbb8a4caa9f2f176d7a9069eaf8012474e15ac637

        SHA512

        dd23634a364d9da1e18675675d1e9aee8c22670ec3a56218ca29c16f739194c0ee5c71502565dfd371fc4b673f8e7529b965d7aa1b0a8c4be5199dba7bf4dfc0

      • C:\Users\Admin\Desktop\SuspendCompress.eps

        Filesize

        640KB

        MD5

        8fbe708afcf9632b695bd4c822a912fc

        SHA1

        cb6c1d5648dbdbd0fb278a5682ea919bfccba196

        SHA256

        0f820cb751e321f2143e3f53211dffd5af7373571dd4a4281fcf7f487d7e61d1

        SHA512

        f59160f18978910dff469031ebf8a503dfd636662062db545bf3dfa8dbca41dfa6f37254fec378802e5d2c66f95c2a1d825c5246b719a1b6745e4b9d184016a3

      • C:\Users\Admin\Desktop\UnblockFormat.dotm

        Filesize

        480KB

        MD5

        831b4f8d7709ce27844f4cc20d938972

        SHA1

        0026209b6b7ab04a1d1d78e65616f13cc781df0b

        SHA256

        935294fdfc625775cf960bcd784e2d3e3a8c2e3bf92e9736f44f9c282f15bf04

        SHA512

        7a85b999335d1f1626d3b67cdbc3bb918562734f6a7d16654fae103c96eb80d64b33047db71c71fab07fe90af84169dcdb5c1cce927ef7b46c5cf15ebc1ff9ee

      • C:\Users\Admin\Desktop\UpdateBlock.html

        Filesize

        960KB

        MD5

        523c07314a67fe7268fe4e2573a3333e

        SHA1

        b0f99dc07d22dc9029a0fc318aeb40f0840d1fee

        SHA256

        cf4fb3747fd46287fe79aaadb93ae7370b0ae2daf760265f2f51a98d8b32ae27

        SHA512

        5c31ca22795b82107cee0979d8737ea6407cdf2221897b50b6c94d995864dc69cfb9c2bfbfebffedbd3c79b744db966754b9357f3a5bd369323e32cca8bbc6b3

      • C:\Users\Admin\Desktop\WaitMount.htm

        Filesize

        544KB

        MD5

        76e41ea17de6a113f5fc361b5d1b1519

        SHA1

        ba78f9632ba73fad0431336ea5479a5cf6a359ca

        SHA256

        d465336da69c9ea6ba840c86f46418850dcd7e61059cf555dddb98f69a665f2f

        SHA512

        14a4c5668f8e921ea0a115fa46f17bba2b19b366265640520f516da1b96e028e8927489a8009508f3de84d1fbe08c9dff17abd4b2e6e77c585bb938d61d9b740

      • C:\Users\Admin\Desktop\WaitRename.tif

        Filesize

        1024KB

        MD5

        5f107070a2bbac68328c42da5be746a7

        SHA1

        0e133b3c86fc24e3eef243f454b8563a73edc6b7

        SHA256

        bd877d2ddc46171867b446949493db52a82e3d1117ea0a78f8157453a91e56ba

        SHA512

        57e3803e7142684aef5adc4cf3f3f877eeee34755387776a2938428f5868eb5e3535a6fbf0466b7c8f4e5427f1139fd084644af66d0cc6a06005a96a63408e43

      • C:\Users\Admin\Desktop\WatchSend.mp4

        Filesize

        736KB

        MD5

        6e0cc0f9080f30b07e163de6832f50dc

        SHA1

        3b66cf1a79f7d14bad9346d9b7b06474b554fcc5

        SHA256

        4b37d3d0c8d299792e9c0461bdab0982dce45fc6f837142dcd0f4f2bc502adb6

        SHA512

        6e6061dc2bc614673e7353be1b4c99d91c98b4af71f8d04a49734200af3e74ba647916fb6ce77cea796e3e83a85d3e87888ca7c4686f775118010530f4ec102f

      • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

        Filesize

        2KB

        MD5

        204b4c82c8e1d2cac6edaa042c5dc07e

        SHA1

        8ebd5d10db1f290c04e18b8761298f47ef4bec32

        SHA256

        95bc090a2401c8c8f7dbfd0aa9f7c7db357023c6f88cff51bd2b0c22303ec26b

        SHA512

        42fa91abd64d2bfcacf8c0e3b6a3bd662c93d565dbe1671a6f27dae1b27370bb02c0ad8b0001196b7efa8eccfb493c8b613bcd17a4bc3f3634ff1f619a190715

      • C:\Users\Public\Desktop\Firefox.lnk

        Filesize

        1000B

        MD5

        ba2a700143c6cabe7274d784799d5042

        SHA1

        88c8f8b098a602adc871049d379d167288fc8362

        SHA256

        0ab7cf4ff922198e78813d1337539cd181a36bb24a7bf6faeae184c96eae232e

        SHA512

        e5423ca1581ec32411c0649918c9f9b6f4eb06375f5a169db989a9579d23cc36bf17ee988c50b5e168941a3bcb58a3a41344f7f7a6321cce921c9bbcec362990

      • C:\Users\Public\Desktop\Google Chrome.lnk

        Filesize

        2KB

        MD5

        d3104415fc7670714693ec26af0bb5d1

        SHA1

        981d9234ad3a213dcd9b75b6ffefb41ff774053d

        SHA256

        b4be9e061a89ff4791059d7b0d5b9fea4a3339ddabc413ec462e619ca34099e5

        SHA512

        c80b6e8feb6b1a8208683f617cd3781f044145619cb6111afefff3725cc95a2d77762a4d2f4f9dde6c3aa12c9a416ff8f6a4c039e9536c25f083fda47093bf56

      • C:\Users\Public\Desktop\VLC media player.lnk

        Filesize

        923B

        MD5

        b688114bd3452d41942d9d8998c39da2

        SHA1

        6f1f6b087b02a0e1f25712765dcad66500f23cbe

        SHA256

        e8bb66b7329ea153cf59e262ff2ed943e54331e0de4c5ed08a92190823bfa95a

        SHA512

        d0f5ac6178962b7fdba01ad2d8f5cb126ad6f18f2c1230f213d6af9f2c36beddfc71bac80ed306369df65b524bcb80bb4bb4011c8029824badbc9feee34b7417

      • memory/224-0-0x00000001405C2000-0x0000000140DBC000-memory.dmp

        Filesize

        8.0MB

      • memory/224-9-0x0000000140000000-0x0000000141C1B000-memory.dmp

        Filesize

        28.1MB

      • memory/224-8-0x00000001405C2000-0x0000000140DBC000-memory.dmp

        Filesize

        8.0MB

      • memory/224-3-0x0000000140000000-0x0000000141C1B000-memory.dmp

        Filesize

        28.1MB

      • memory/224-2-0x0000000140000000-0x0000000141C1B000-memory.dmp

        Filesize

        28.1MB

      • memory/224-1-0x00007FFAACD40000-0x00007FFAACD42000-memory.dmp

        Filesize

        8KB