Analysis Overview
SHA256
11ccb1d864900ecb4d5c683d8e83dc6c0f55d8c89bcd7357e310598b7846d0de
Threat Level: No (potentially) malicious behavior was detected
The file Nursultan.exe was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:12
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:12
Reported
2024-06-13 04:35
Platform
win10v2004-20240508-en
Max time kernel
1172s
Max time network
1174s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
Network
Files
memory/1540-0-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/1540-1-0x00007FFF07D10000-0x00007FFF07D12000-memory.dmp
memory/1540-2-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/1540-4-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/1540-8-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/1540-9-0x0000000140000000-0x0000000141C1B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 04:12
Reported
2024-06-13 04:35
Platform
win11-20240611-en
Max time kernel
452s
Max time network
1174s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1764-0-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/1764-1-0x00007FFF5D090000-0x00007FFF5D092000-memory.dmp
memory/1764-2-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/1764-3-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/1764-8-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/1764-9-0x0000000140000000-0x0000000141C1B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:12
Reported
2024-06-13 04:14
Platform
win10-20240404-en
Max time kernel
90s
Max time network
81s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\GroupLimit.cmd" "
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GroupLimit.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nursultan.tech | udp |
| US | 104.26.12.21:443 | nursultan.tech | tcp |
| US | 8.8.8.8:53 | 21.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/224-0-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/224-1-0x00007FFAACD40000-0x00007FFAACD42000-memory.dmp
memory/224-2-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/224-3-0x0000000140000000-0x0000000141C1B000-memory.dmp
memory/224-8-0x00000001405C2000-0x0000000140DBC000-memory.dmp
memory/224-9-0x0000000140000000-0x0000000141C1B000-memory.dmp
C:\Users\Admin\Desktop\GroupLimit.cmd
| MD5 | 8af4821b35a78239781838bb94c6ce57 |
| SHA1 | b9402348a13e5c3e9aa8c45dde4e6013ceec004d |
| SHA256 | 94a0bb667c934832a2ce096f6ae1b337d1233f5a59cc2199e37c900477d3f5a1 |
| SHA512 | 205f6248e99cca2457fec446f4d96bc58e599f7cee5f2545cf0e45e9e9d3a43c3dfd563a135f4b7b3589901d05046766510887dff0b226628ca208e6c34d1ccd |
C:\Users\Admin\Desktop\PopSwitch.7z
| MD5 | 08fa966ae1b7fc5a37fa89f74f01e0d3 |
| SHA1 | b8d675108ec3c0371a43fa5c112c12269508d7ea |
| SHA256 | 82fd02ce429de54c07519c6a3e4e2bb122d2dd70e66208199eca0ab9bb321fa6 |
| SHA512 | 90040465164bc28c936e9713afb71eaa9909f2ab763786c95bd637b2ca7fee00cd11e8fcddc9e33628a7bf7c3af3addf1a7d661f42d4bc366ba43645c2b91c7e |
C:\Users\Admin\Desktop\OpenClose.M2V
| MD5 | ebdf040af8374f0d3cfcec4136c673d5 |
| SHA1 | f87ad5bf77141090fe5bbc3be44eba29160c7b1a |
| SHA256 | 37d65a8706503f93deae91f0e351d5d0d768022e6f6100f1fed77623f6f53b76 |
| SHA512 | 42faaf4e7f07c32915771597e293ef851ca364b2cfc26dcf8a018a4c062868ecd1205661d3d60efd41b6f2cfab895bfe3ecc90de1041764a75a0dd44ac62c87c |
C:\Users\Admin\Desktop\WaitRename.tif
| MD5 | 5f107070a2bbac68328c42da5be746a7 |
| SHA1 | 0e133b3c86fc24e3eef243f454b8563a73edc6b7 |
| SHA256 | bd877d2ddc46171867b446949493db52a82e3d1117ea0a78f8157453a91e56ba |
| SHA512 | 57e3803e7142684aef5adc4cf3f3f877eeee34755387776a2938428f5868eb5e3535a6fbf0466b7c8f4e5427f1139fd084644af66d0cc6a06005a96a63408e43 |
C:\Users\Admin\Desktop\ResumeSelect.xltm
| MD5 | 7031c6579399636e71643ce722b756dc |
| SHA1 | a8870a71f3f1accf2239b43d5cfadec66eb2f1df |
| SHA256 | 42e5cc8e79ffe04337d29b264709ee6975315d2127dc5d906f9c21daa768c05f |
| SHA512 | e586370e9050665fd56acad69e99fe564b27b7cd2d9cbd9fccb878cf49b457af66076d79bf78a8aa4f4e8fae1be4860d12bb40e512f615bd7ed56ddfd13d2e41 |
C:\Users\Admin\Desktop\PingTest.midi
| MD5 | 6b2118b3b7edcd5c68db42f7185f7359 |
| SHA1 | 93e9f3e2531a74ab17992f56aba994012fc3fd1e |
| SHA256 | c721aa1a5b04dcd49b9d962f75be3fe3710e175bdf9b03a24013ce755a13cb4c |
| SHA512 | b80c99d96ddc7448509519540d0e1a440a45bd16976d895aed4c3ac1b03644e5762284dfed773c597afe525a0732e0b88603f27592650ae4b40f29f501ac8c67 |
C:\Users\Admin\Desktop\ReceivePublish.3gp2
| MD5 | efc323054c6c929ec93326420d50a4be |
| SHA1 | 93397598c14f6309fc74fcab8a2bc551968b178d |
| SHA256 | 298be364595ad18bd6f922bf5ba27f071899456114dc364bc0f5362e673ed059 |
| SHA512 | f013aa6b039c2b1e81bc4551cb5222de51f1211618cd7800c4075e0c6479294f65d5c7be683fecdb34e292d16e31d105a3ce053469259b72204c94a894b3db31 |
C:\Users\Admin\Desktop\RequestSync.mpa
| MD5 | 37196afca771be4130e9aa103849c6df |
| SHA1 | a82ce13c02945141ffcad7834a836aeb0373140b |
| SHA256 | 5fb8e2d13bc943f6d8a16ff193203f16c1d1fffedc793596e865e832889bf843 |
| SHA512 | f7e40708a02c34590ae6d7f315769d3f91815642fe4796df0d14ec1b165eab27d524b562557240dfcc34d372c5f5e14d6a405d3c08022536781e782d749f8887 |
C:\Users\Admin\Desktop\UnblockFormat.dotm
| MD5 | 831b4f8d7709ce27844f4cc20d938972 |
| SHA1 | 0026209b6b7ab04a1d1d78e65616f13cc781df0b |
| SHA256 | 935294fdfc625775cf960bcd784e2d3e3a8c2e3bf92e9736f44f9c282f15bf04 |
| SHA512 | 7a85b999335d1f1626d3b67cdbc3bb918562734f6a7d16654fae103c96eb80d64b33047db71c71fab07fe90af84169dcdb5c1cce927ef7b46c5cf15ebc1ff9ee |
C:\Users\Admin\Desktop\SuspendCompress.eps
| MD5 | 8fbe708afcf9632b695bd4c822a912fc |
| SHA1 | cb6c1d5648dbdbd0fb278a5682ea919bfccba196 |
| SHA256 | 0f820cb751e321f2143e3f53211dffd5af7373571dd4a4281fcf7f487d7e61d1 |
| SHA512 | f59160f18978910dff469031ebf8a503dfd636662062db545bf3dfa8dbca41dfa6f37254fec378802e5d2c66f95c2a1d825c5246b719a1b6745e4b9d184016a3 |
C:\Users\Admin\Desktop\StopSave.xltx
| MD5 | c177c187bcef9c9a2ce758beb8ff23a7 |
| SHA1 | 8d33f8f774cac7647cf3b563d9dafa5afa22d7f7 |
| SHA256 | 1ca1a22d424f83b31921d28fbb8a4caa9f2f176d7a9069eaf8012474e15ac637 |
| SHA512 | dd23634a364d9da1e18675675d1e9aee8c22670ec3a56218ca29c16f739194c0ee5c71502565dfd371fc4b673f8e7529b965d7aa1b0a8c4be5199dba7bf4dfc0 |
C:\Users\Admin\Desktop\ResizeFind.xsl
| MD5 | 877e97023848799817305ab2c14bd560 |
| SHA1 | f41a42983039701dbe2591fc00904b6a3e841070 |
| SHA256 | 8a3558b68b29809a96d5ffe7c15a63203029ef6a02c7a22292f764e88373964f |
| SHA512 | 0b7199da3167cc9c719b5b893e436418eab930c80a2f2bdb7a679d1333bf41a2d36264106e5cca0013ee1426bb7babc8a017c9738c4f8ead00541eaf648af813 |
C:\Users\Admin\Desktop\WaitMount.htm
| MD5 | 76e41ea17de6a113f5fc361b5d1b1519 |
| SHA1 | ba78f9632ba73fad0431336ea5479a5cf6a359ca |
| SHA256 | d465336da69c9ea6ba840c86f46418850dcd7e61059cf555dddb98f69a665f2f |
| SHA512 | 14a4c5668f8e921ea0a115fa46f17bba2b19b366265640520f516da1b96e028e8927489a8009508f3de84d1fbe08c9dff17abd4b2e6e77c585bb938d61d9b740 |
C:\Users\Admin\Desktop\ConvertStart.mpa
| MD5 | 9879d557562505de8e5d60a4c914babd |
| SHA1 | d2a2c8aa0a0db18e52f65f3501110d76a5d9e99b |
| SHA256 | 08a257bb3e3e4dc78c0b650d5a22770f65e2758c2aad14f31be29d48b9e21da6 |
| SHA512 | ca5a4102bd0a2dde5c2804865ec820c2c29ff5196835934768da3dbbe65b406eb3d1c75845a3eaf26ae6f4d65799d191da857eaf3bc8474c0abd7012928f98c6 |
C:\Users\Admin\Desktop\UpdateBlock.html
| MD5 | 523c07314a67fe7268fe4e2573a3333e |
| SHA1 | b0f99dc07d22dc9029a0fc318aeb40f0840d1fee |
| SHA256 | cf4fb3747fd46287fe79aaadb93ae7370b0ae2daf760265f2f51a98d8b32ae27 |
| SHA512 | 5c31ca22795b82107cee0979d8737ea6407cdf2221897b50b6c94d995864dc69cfb9c2bfbfebffedbd3c79b744db966754b9357f3a5bd369323e32cca8bbc6b3 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 204b4c82c8e1d2cac6edaa042c5dc07e |
| SHA1 | 8ebd5d10db1f290c04e18b8761298f47ef4bec32 |
| SHA256 | 95bc090a2401c8c8f7dbfd0aa9f7c7db357023c6f88cff51bd2b0c22303ec26b |
| SHA512 | 42fa91abd64d2bfcacf8c0e3b6a3bd662c93d565dbe1671a6f27dae1b27370bb02c0ad8b0001196b7efa8eccfb493c8b613bcd17a4bc3f3634ff1f619a190715 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | b688114bd3452d41942d9d8998c39da2 |
| SHA1 | 6f1f6b087b02a0e1f25712765dcad66500f23cbe |
| SHA256 | e8bb66b7329ea153cf59e262ff2ed943e54331e0de4c5ed08a92190823bfa95a |
| SHA512 | d0f5ac6178962b7fdba01ad2d8f5cb126ad6f18f2c1230f213d6af9f2c36beddfc71bac80ed306369df65b524bcb80bb4bb4011c8029824badbc9feee34b7417 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | ba2a700143c6cabe7274d784799d5042 |
| SHA1 | 88c8f8b098a602adc871049d379d167288fc8362 |
| SHA256 | 0ab7cf4ff922198e78813d1337539cd181a36bb24a7bf6faeae184c96eae232e |
| SHA512 | e5423ca1581ec32411c0649918c9f9b6f4eb06375f5a169db989a9579d23cc36bf17ee988c50b5e168941a3bcb58a3a41344f7f7a6321cce921c9bbcec362990 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | d3104415fc7670714693ec26af0bb5d1 |
| SHA1 | 981d9234ad3a213dcd9b75b6ffefb41ff774053d |
| SHA256 | b4be9e061a89ff4791059d7b0d5b9fea4a3339ddabc413ec462e619ca34099e5 |
| SHA512 | c80b6e8feb6b1a8208683f617cd3781f044145619cb6111afefff3725cc95a2d77762a4d2f4f9dde6c3aa12c9a416ff8f6a4c039e9536c25f083fda47093bf56 |
C:\Users\Admin\Desktop\ApprovePing.tif
| MD5 | d2638f160f16a1d5e17fb3ec57f081e2 |
| SHA1 | bcb81c9a52d2631dbaa3fc0c0cbda1278199d1cb |
| SHA256 | df61978350226b21120e629c4f6b847df260a4dab707e2cc86b16b077886d88c |
| SHA512 | 054f16b9444398ca28faa748026904f4b9be75580d36239320afd707e17127459b0842d5286ab5f990f44bd600b3032b1eb4c394c45f484071208267398f28e7 |
C:\Users\Admin\Desktop\GrantBlock.lnk
| MD5 | ef31560427dd0e75789558ec451a57f9 |
| SHA1 | 0db5ce89a6778a49675fb584d02b32332dfeda62 |
| SHA256 | d4640a604b439b999efaebcafb9a6659dc836831d9423d136669b88979455fe9 |
| SHA512 | deb2cd032d56a4448aab587b368e921984be5b08c65a7468b4e7b472cd44c9ac47b1f7546afb9698bb6dd0c58edc05a0a6d39bfeb1a85f1159683bc5936bd3d7 |
C:\Users\Admin\Desktop\ExportNew.search-ms
| MD5 | ded4588414bb6e5d1bd9640bcaebd9f5 |
| SHA1 | de1990b120396236e260e49c1afc6c38799c0520 |
| SHA256 | bad21e3fb1f959a317803bc2ec4fce9d176095afedf837c2fad1ea93463f7fa6 |
| SHA512 | 09b473c4009f848c5d228d1d22edbf1f494a4e82ea947d5a417748a62832d6e4df0ca9e8367d04f9c201471c9c4a8d8b2576ad76a0969de1b69e67a58c167d47 |
C:\Users\Admin\Desktop\EditFormat.pub
| MD5 | 2d3bed6acfa436725596855f3acf450b |
| SHA1 | ea8af33d1b01e9f3547472ebfffcce5d42ed2bd8 |
| SHA256 | 62886758d46d8d09ea416109c943da8ff3bf573183e762fb8c8bb767dfd9b6b4 |
| SHA512 | 8f4e6eef602095ed939f59c6c6e9b226bd6de6679aea8cd79159fd1825c92ebd063a582483edc7eae3b17fdbbeac520ab9a7e239284e9aeed88ef015a417ca48 |
C:\Users\Admin\Desktop\ConnectAdd.htm
| MD5 | bfba32c77f875727827c042ccb553c2a |
| SHA1 | 293e0c42b0488a7920f8cb27fdcfe862f44da52d |
| SHA256 | a1356e0c73b6c0770b1fc605c5f5a91d6445e65e34f92cc253dae3eeb3e31946 |
| SHA512 | a31b0eb8e3100a8773f506505fab9036a4c5243eb5c5c1dc6c75494dba41065d34e5ccb7a41cd9b7e8152d15a64ee0608b0423707f27bcca4dd6a57a5fd81df0 |
C:\Users\Admin\Desktop\ImportUpdate.ppsx
| MD5 | 15bd8a3a4543d6f27d58e0c0546a3986 |
| SHA1 | b0e53ee77c536596d4fc13cd9e18f9b3d24da039 |
| SHA256 | 7574c6631d3cc291a51ad4708ffb7d5780161f6307ca5a2f7fd85ebbf378cf9f |
| SHA512 | 7d2e3c2dd160090204dbb4c79418661bf2809e5574fcd63a4297edbe10d2435f1cb867a7e02fe89ce3336bd7c88ecd37317d0e94a931fba4c95856eb003fa6fe |
C:\Users\Admin\Desktop\3t╟+
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\WatchSend.mp4
| MD5 | 6e0cc0f9080f30b07e163de6832f50dc |
| SHA1 | 3b66cf1a79f7d14bad9346d9b7b06474b554fcc5 |
| SHA256 | 4b37d3d0c8d299792e9c0461bdab0982dce45fc6f837142dcd0f4f2bc502adb6 |
| SHA512 | 6e6061dc2bc614673e7353be1b4c99d91c98b4af71f8d04a49734200af3e74ba647916fb6ce77cea796e3e83a85d3e87888ca7c4686f775118010530f4ec102f |
C:\Users\Admin\Desktop\RestoreDismount.ico
| MD5 | 866d01fb315878f034a020627d9eba4b |
| SHA1 | e55e739a041ccebf49506fedba6d06ea036e5a3a |
| SHA256 | 8327041bc76aac60837ebb26e839b33a2a7eb030b1251d0a63cd63601b29a851 |
| SHA512 | 61c96d5d54945cecb3fba0dbe61024f7c521a4a78d24366b7bc7e016c6566d4d6d8fdbc851df653147b5b2e8833fdd64fd815aace0dc6cbee97802cc01d36025 |
C:\Users\Admin\Desktop\AssertRestart.wvx
| MD5 | ce82810adb045b8151a1d63793938dc2 |
| SHA1 | 76c33fe5ff9765b0cf0e0010272f4576d0567b24 |
| SHA256 | 5fe4f5509b7107a42cd9ca54557f44d1ddf81d81f4f4bae5a9e8076dfb5a420d |
| SHA512 | abc56d2fd71c89344998bc608fba48acaa86928646ed751a824f81cbaf9aba4477291e51b6f0b41f5cca17bcd4d05d33371fae4c755989e3c63d66b35c69ffd3 |