528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 04:38

Target

528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe
Size

161KB
MD5

f1ab1e1bc627749ff779fe2a0bb07171
SHA1

77c2f3c821d1c1a0e603951c988eaab3b5401957
SHA256

528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d
SHA512

4e4ea0ad9849eb654e710124689aa07247b2b3f93c1017535d15d788dd2a7e6dcbcbbeb3ce6b59287a00c0bfc7a48680f1637e3c80d38dc2364610ae122af7e1
SSDEEP

3072:8xwiu5PY2wj0kcqSz2uiKoIksbmH396tq8v3IIz1AuiO:8xePY7i2ubTRmHt6Dg27iO

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2192	NSUDOLC.exe

Loads dropped DLL 1 IoCs

pid	Process
2592	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2240	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	NSUDOLC.exe
2192	NSUDOLC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2192	NSUDOLC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2592	2108	528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe	28
PID 2108 wrote to memory of 2592	2108	528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe	28
PID 2108 wrote to memory of 2592	2108	528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe	28
PID 2108 wrote to memory of 2592	2108	528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe	28
PID 2592 wrote to memory of 2240	2592	cmd.exe	30
PID 2592 wrote to memory of 2240	2592	cmd.exe	30
PID 2592 wrote to memory of 2240	2592	cmd.exe	30
PID 2592 wrote to memory of 2240	2592	cmd.exe	30
PID 2592 wrote to memory of 2192	2592	cmd.exe	32
PID 2592 wrote to memory of 2192	2592	cmd.exe	32
PID 2592 wrote to memory of 2192	2592	cmd.exe	32
PID 2592 wrote to memory of 2192	2592	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe
"C:\Users\Admin\AppData\Local\Temp\528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /PID 2108
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
    NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\528d3317e0ebd07fe0687535a62ce0c76506406c5a988f436ce89bad8e4d5c5d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192

C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

Filesize
99KB

MD5
0ac3e9d59309f599403ac51615bfe41b

SHA1
9041c5562558cb58ac98bd18de3c0ce370a59e1f

SHA256
6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

SHA512
e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
145B

MD5
fc9c2b2dbb3dfce62a96547e1e45cf77

SHA1
260b39a93fb9af7c97eceb6db04277d584f0ac2a

SHA256
9c7927429be6d7df41d50d6c16bd0e2586e1195eebe16315b5fd3d53d673e4cf

SHA512
b962face2fc2e5b2e4d01a95b97907dc80bf6cf440428db84ec0a19030ad494487966d145e32574b5b962bf49a5b185165cdafe6af92ec922a8389c351a2e68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
145B

MD5
fc9c2b2dbb3dfce62a96547e1e45cf77

SHA1
260b39a93fb9af7c97eceb6db04277d584f0ac2a

SHA256
9c7927429be6d7df41d50d6c16bd0e2586e1195eebe16315b5fd3d53d673e4cf

SHA512
b962face2fc2e5b2e4d01a95b97907dc80bf6cf440428db84ec0a19030ad494487966d145e32574b5b962bf49a5b185165cdafe6af92ec922a8389c351a2e68f

Download Submit
\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

Filesize
99KB

MD5
0ac3e9d59309f599403ac51615bfe41b

SHA1
9041c5562558cb58ac98bd18de3c0ce370a59e1f

SHA256
6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

SHA512
e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

Download Submit