ae94787c102c6b1c26f45413be4b123a8b2c1dc7ad7f9d1b9c86a489ac8c47c7

Analysis

max time kernel
51s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nos317.exe
Size

127KB
MD5

1b957de2481264f0838b2ea58fefcd2b
SHA1

ea4347f9d234e6ca737298fde05c8b93dd7829fd
SHA256

ae94787c102c6b1c26f45413be4b123a8b2c1dc7ad7f9d1b9c86a489ac8c47c7
SHA512

f96388b8b415eb2cb762760b614153b449330cf0f2b0b09ccf6d8932b2fe5b13dc0d5a9187bd3b1ab6e20175f9c2ede9d631c9bcd2d076a77a3a8c357758be7e
SSDEEP

3072:3cpE7eK4faKrdTuKorWwj432v7xPKs+RO+GLVWxXu44444:37yfzdTujpi2T9sRObAD

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Nos317.execsmm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Nos317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\Client.exe	aspack_v212_v242
C:\Windows\Client.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

Client.execsmm.execsmm.exe

pid process

1956 Client.exe
656 csmm.exe
1324 csmm.exe
Loads dropped DLL 4 IoCs

Processes:

Nos317.execsmm.exe

pid process

1992 Nos317.exe
1992 Nos317.exe
656 csmm.exe
656 csmm.exe

pid	process
1956	Client.exe
656	csmm.exe
1324	csmm.exe

pid	process
1992	Nos317.exe
1992	Nos317.exe
656	csmm.exe
656	csmm.exe

Drops file in System32 directory 2 IoCs

Processes:

Nos317.execsmm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Nos317.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe

Drops file in Windows directory 1 IoCs

Processes:

Nos317.exe

description ioc process

File opened for modification C:\Windows\Client.exe Nos317.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Nos317.execsmm.exe

pid process

1992 Nos317.exe
656 csmm.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Nos317.exeClient.execsmm.execsmm.exe

pid process

1992 Nos317.exe
1956 Client.exe
656 csmm.exe
1324 csmm.exe

description	ioc	process
File opened for modification	C:\Windows\Client.exe	Nos317.exe

pid	process
1992	Nos317.exe
656	csmm.exe

pid	process
1992	Nos317.exe
1956	Client.exe
656	csmm.exe
1324	csmm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Nos317.execsmm.exe

description	pid	process	target process
PID 1992 wrote to memory of 1956	1992	Nos317.exe	Client.exe
PID 1992 wrote to memory of 1956	1992	Nos317.exe	Client.exe
PID 1992 wrote to memory of 1956	1992	Nos317.exe	Client.exe
PID 1992 wrote to memory of 1956	1992	Nos317.exe	Client.exe
PID 1992 wrote to memory of 656	1992	Nos317.exe	csmm.exe
PID 1992 wrote to memory of 656	1992	Nos317.exe	csmm.exe
PID 1992 wrote to memory of 656	1992	Nos317.exe	csmm.exe
PID 1992 wrote to memory of 656	1992	Nos317.exe	csmm.exe
PID 656 wrote to memory of 1324	656	csmm.exe	csmm.exe
PID 656 wrote to memory of 1324	656	csmm.exe	csmm.exe
PID 656 wrote to memory of 1324	656	csmm.exe	csmm.exe
PID 656 wrote to memory of 1324	656	csmm.exe	csmm.exe

C:\Users\Admin\AppData\Local\Temp\Nos317.exe
"C:\Users\Admin\AppData\Local\Temp\Nos317.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Client.exe
"C:\Windows\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\csmm.exe
C:\Windows\system32\csmm.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\csmm.exe
C:\Windows\system32\csmm.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Client.exe
Filesize
88KB

MD5
5320073f5533b7da2a61ccea68086f7d

SHA1
a2a1d62861506464722e643420967ce55aac6594

SHA256
50d82863c8577e8f9f4d8a3fbc6f739c0e1c3605a9df61bea27d7ddb8e85cfdd

SHA512
d34edd63fcffd82f0260f4b553cb549154a1c8f6e80e14842769fa3860e17c8787b80f2698ee1ec3c891be3a58e0a3c87fbd889c9117dcbb65e06b9d20a7759f

Download Submit
C:\Windows\Client.exe
Filesize
88KB

MD5
5320073f5533b7da2a61ccea68086f7d

SHA1
a2a1d62861506464722e643420967ce55aac6594

SHA256
50d82863c8577e8f9f4d8a3fbc6f739c0e1c3605a9df61bea27d7ddb8e85cfdd

SHA512
d34edd63fcffd82f0260f4b553cb549154a1c8f6e80e14842769fa3860e17c8787b80f2698ee1ec3c891be3a58e0a3c87fbd889c9117dcbb65e06b9d20a7759f

Download Submit
C:\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
C:\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
C:\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
C:\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
\Windows\SysWOW64\csmm.exe
Filesize
39KB

MD5
05cf2889903f75d04055e3c4d2dc17f0

SHA1
c13c3b9f03cc5c18fd2d10037860b2c48727fc54

SHA256
b2ca80ff62fb9f9cc2289066321c7448d96451959f86c2225e8e51b7d2517d21

SHA512
40b9a6f14682ec77642ba1803cd0b00bc8d2fad2545881f4795b49943f17e993d466a1be9cfbce85091c0a696eb6990db8bec52dffa7aa0a062b9f06265bc9af

Download Submit
memory/656-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1324-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-65-0x0000000001E40000-0x0000000001E6F000-memory.dmp

Filesize
188KB

Download
memory/1992-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-86-0x0000000001E40000-0x0000000001E42000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads