7e9d8086fd40c286a1a5775c60a7fd6a44481dcd540345752e9ae0e6fafb61ea

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nxwitness-bundle-5.0.0.36634-windows_x64.exe
Size

205.3MB
MD5

d83309c8cf1a44301a8bee97df28b979
SHA1

c3ac58c06c520d89b63df106fc831424796fdb1b
SHA256

7e9d8086fd40c286a1a5775c60a7fd6a44481dcd540345752e9ae0e6fafb61ea
SHA512

c68ec187672b0d0bf2ddf78b767f1440c1209434593b09a6ffbc872f29918549462627d3d94c440311f23713a64b4cc5475ebeef496ee503a587d38d6d221c1f
SSDEEP

3145728:+oX6Dh4xVsCZCQpTQgx/hfOR+aOq+feQA5v/nmWlQJ76HfMvndihnIN/DQU:3uAfxph+dkeQuvuWlQEHUvdGne/UU

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
3900	nxwitness-bundle-5.0.0.36634-windows_x64.exe

Loads dropped DLL 1 IoCs

pid	Process
3900	nxwitness-bundle-5.0.0.36634-windows_x64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3900	432	nxwitness-bundle-5.0.0.36634-windows_x64.exe	86
PID 432 wrote to memory of 3900	432	nxwitness-bundle-5.0.0.36634-windows_x64.exe	86
PID 432 wrote to memory of 3900	432	nxwitness-bundle-5.0.0.36634-windows_x64.exe	86

C:\Users\Admin\AppData\Local\Temp\nxwitness-bundle-5.0.0.36634-windows_x64.exe
"C:\Users\Admin\AppData\Local\Temp\nxwitness-bundle-5.0.0.36634-windows_x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\Temp\{35995BEA-B8CD-4146-B3FC-BE57D88F16A1}\.cr\nxwitness-bundle-5.0.0.36634-windows_x64.exe
  "C:\Windows\Temp\{35995BEA-B8CD-4146-B3FC-BE57D88F16A1}\.cr\nxwitness-bundle-5.0.0.36634-windows_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nxwitness-bundle-5.0.0.36634-windows_x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{35995BEA-B8CD-4146-B3FC-BE57D88F16A1}\.cr\nxwitness-bundle-5.0.0.36634-windows_x64.exe

Filesize
624KB

MD5
903903ecf139cadfb6a20fc5d7e05962

SHA1
9b9d7720db5c94ef0247e5aaef25d1ed29dd5668

SHA256
edc5d4dff260ed194b0097ed6b53c9546721a442e732a1c67e86275c26802f97

SHA512
d9eb80f797f858f79de30528329c0b1cf4a56e9a657d3cba7a13939b9807c8680c2af90813c83e83e944445024b61384b496387d67f7b77ffbbef7586a13f843

Download Submit
C:\Windows\Temp\{35995BEA-B8CD-4146-B3FC-BE57D88F16A1}\.cr\nxwitness-bundle-5.0.0.36634-windows_x64.exe

Filesize
624KB

MD5
903903ecf139cadfb6a20fc5d7e05962

SHA1
9b9d7720db5c94ef0247e5aaef25d1ed29dd5668

SHA256
edc5d4dff260ed194b0097ed6b53c9546721a442e732a1c67e86275c26802f97

SHA512
d9eb80f797f858f79de30528329c0b1cf4a56e9a657d3cba7a13939b9807c8680c2af90813c83e83e944445024b61384b496387d67f7b77ffbbef7586a13f843

Download Submit
C:\Windows\Temp\{A19F4967-DB04-4EFB-9479-DDA29D9A0D9B}\.ba\installer_bg.png

Filesize
6KB

MD5
8d02e082580be6f37c6f390b2070f58c

SHA1
b5f0e930f92bf7c693ccd125c4ee03f07b91aeb8

SHA256
8e0ecaa41b625d0e3d26af9cbbdd9351d9c61eccf0e755f8797af84e4723817d

SHA512
2b64c211024cfc3054e806bb367b25a1e844830993ee2016ffcf3d31a947e07910dda9b2c6ef870a9cf8c8d31f9db16ea124361b2a3a3144a41078d9d074d1b9

Download Submit
C:\Windows\Temp\{A19F4967-DB04-4EFB-9479-DDA29D9A0D9B}\.ba\logo-102x102.png

Filesize
3KB

MD5
f2b2e4fde7141a733954383f3b120e73

SHA1
c796720542eae854e4def46dfe854bf72ea98d6c

SHA256
8536ed67f64a04955960c7938b75ebe7dbc7406f6478981f411b115d08ab0aad

SHA512
a9f820a0b11b2ee93b6090c0d095b65cf49e3d90576b709fd0825365c00eec66c8c375456874a54e5eb78c10180ee8dfc9ef0e75853359e7e3b6efed81749525

Download Submit
C:\Windows\Temp\{A19F4967-DB04-4EFB-9479-DDA29D9A0D9B}\.ba\logo-64x64.png

Filesize
2KB

MD5
b632f08b0322d531743bfab34823e4bd

SHA1
9ad5cd77fab2f4e00411f86349f063c9a34b714c

SHA256
45f349022f35a590c68a18645c35171ce10eef7a3c62b65ad6ee95510801dfe5

SHA512
2e6ba0bf0e9c93cb90f894e468b16907f85a035e47e0f603e543c8f8df54311c934ca630111f6829bde84d1005b4a8b425c9a7e0946429ff75cd2bc24c4fdc16

Download Submit
C:\Windows\Temp\{A19F4967-DB04-4EFB-9479-DDA29D9A0D9B}\.ba\wixstdba.dll

Filesize
175KB

MD5
6ba2e331e0f447aaff0e8142df5f7230

SHA1
7a3f7fb93e7bdcf04fa83b50bde1d939b1864023

SHA256
58a135101a2044d96f470e29369a8214c5c2add774488d73c6ae81a588582239

SHA512
e137eb9f07e3b8ed03b309dd63e4fa9a4993e53b6d54c4c77ac289609811144fd66b49126b1168ebe8fa80669a765a51c1e72444d8c4deace091b65708d67d3b

Download Submit