868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe
Size

942KB
MD5

d031a49263f143ea08d99f2795095bc4
SHA1

27558ce471cea625c9ba5a9e8e7067adce1ec65a
SHA256

868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8
SHA512

f0866c7293c8060a13902a241971ab37993c268196ea1223aadf5690c28c367a87855d4e200c2c26a5c1af524f409922af3571b446bed74c6597730420011d0e
SSDEEP

24576:IDlbUofR9HL7zkyTt8efOoBNnwoGEqrQ+wkUCowDfswOSZqe:Do59HLU/4MvEj+wkUm2SD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4380	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
4380	Au_.exe
4380	Au_.exe
4380	Au_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002312b-136.dat	nsis_installer_1
behavioral2/files/0x000600000002312b-136.dat	nsis_installer_2
behavioral2/files/0x000600000002312b-137.dat	nsis_installer_1
behavioral2/files/0x000600000002312b-137.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Au_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Au_.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4380	Au_.exe
4380	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4380	1724	868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe	82
PID 1724 wrote to memory of 4380	1724	868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe	82
PID 1724 wrote to memory of 4380	1724	868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe	82

C:\Users\Admin\AppData\Local\Temp\868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe
"C:\Users\Admin\AppData\Local\Temp\868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\DataCollection.dll

Filesize
1.4MB

MD5
4028747c6b592c52b5257a07df10fc5a

SHA1
0f4f114e466a3d85ee5995ec105e776e941ee5be

SHA256
e01062c6980c2e62f7e76fa3bf79c00e0959976866db86fb8cc8f76d818ef0d9

SHA512
f4a1fb033dac1fd5a46dd6ec968d31fd8b62030e1ec4e37dff2df314b2e4b8f4b5b3d5f4774c8b64347f02e88a3ebdc80bc9a166d2847756f5b6bb4fa24629fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\DataCollection.dll

Filesize
1.4MB

MD5
4028747c6b592c52b5257a07df10fc5a

SHA1
0f4f114e466a3d85ee5995ec105e776e941ee5be

SHA256
e01062c6980c2e62f7e76fa3bf79c00e0959976866db86fb8cc8f76d818ef0d9

SHA512
f4a1fb033dac1fd5a46dd6ec968d31fd8b62030e1ec4e37dff2df314b2e4b8f4b5b3d5f4774c8b64347f02e88a3ebdc80bc9a166d2847756f5b6bb4fa24629fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\InstallOptions.dll

Filesize
20KB

MD5
849a80c233a3f5c66e4f59b358731c98

SHA1
1173df705451a4d2be5aa047e3e2c9660ac31a73

SHA256
c7631d37473f874b435e28051689028c675e16b313b257e1283236ece55fe0cf

SHA512
dbfcdefd71c15a775068eee502ffb9bc6077991c4e694b45a5cd1b8f4c7364e891fdbf57559824df90a9799790d64cbc28107720ff0a3289a394e468c4c1e185

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\Serverlist.ini

Filesize
517B

MD5
b1cdcbb7c9f25e65354bd8e01d516ba5

SHA1
f3cd827c0394432f0a17a5a4872d4c96b6ba5bcf

SHA256
0e643b0db60b6b6094e41a249ef50f42a44009dc22cea2331373f2f1d12e456d

SHA512
3f744a77ea5b0733a245c57a4588149a9cc2d6399137b984c228f46798db87516155bd894bd90693ece86a736b603b21967dde8464f233dd08b579b882a4bfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\ioSpecial.ini

Filesize
628B

MD5
4fc2c345760d43eeadfba7c31fcfc749

SHA1
a895225d5631f524422939120b917b20e51c8436

SHA256
a349cd749a75d58a1b920a2b8a8217cdda3346e03c3663cd7bb0f5f0257a87e1

SHA512
05619a18b319e1cd372cc28bcc4fc928d4da419179fb8369af728866a3846d07b9f0527d22f44b32d9c606319d89f01f39f58c9f52ab731a54ce9a086078dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss816B.tmp\modern-wizard.bmp

Filesize
251KB

MD5
b530f623a349a3b6364a234563327547

SHA1
fb2aa9cac12b40aee89bd1e3a4b8d64cf5beaf24

SHA256
63b5c3d288838e7d71815c2745e299c034f6f1b7273c5392ccca10e870428b13

SHA512
0c834372afe403cef960e35d5c461fc6733769cd443ab9a7498c01426b0bb33e9b32d4b59b3cdf0e1e85dc5c60d0f2edcbcda3d2a0ae5d703d625003b4f4adab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
942KB

MD5
d031a49263f143ea08d99f2795095bc4

SHA1
27558ce471cea625c9ba5a9e8e7067adce1ec65a

SHA256
868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8

SHA512
f0866c7293c8060a13902a241971ab37993c268196ea1223aadf5690c28c367a87855d4e200c2c26a5c1af524f409922af3571b446bed74c6597730420011d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
942KB

MD5
d031a49263f143ea08d99f2795095bc4

SHA1
27558ce471cea625c9ba5a9e8e7067adce1ec65a

SHA256
868a75c6cffea8c3433c888b1d9bd90b30e035af8eb59b2de9192fc924874eb8

SHA512
f0866c7293c8060a13902a241971ab37993c268196ea1223aadf5690c28c367a87855d4e200c2c26a5c1af524f409922af3571b446bed74c6597730420011d0e

Download Submit