8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Size

3.0MB
MD5

5496ba70185c10bb395b791400c3c5ba
SHA1

5912d976cf18f19b88ae04b1d70c43aa4e281e85
SHA256

8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a
SHA512

b23bff96efdd33e26049946539d385676f6b9e1530459333100b0c27a47c524ffdcf37b5b92f9a61356f1f9db6e8fc64fa7f6a6560da4e228325b9e4a945579e
SSDEEP

49152:EPnmeM9KCmRxAfovAF6RKcMQqx+29uWV9D489/y:Unm99KCm3AAvAF6RKSu91PM+/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4092	NSUDOLC.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2564	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4092	NSUDOLC.exe
4092	NSUDOLC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	4092	NSUDOLC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3476	4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe	86
PID 4412 wrote to memory of 3476	4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe	86
PID 4412 wrote to memory of 3476	4412	8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe	86
PID 3476 wrote to memory of 2564	3476	cmd.exe	89
PID 3476 wrote to memory of 2564	3476	cmd.exe	89
PID 3476 wrote to memory of 2564	3476	cmd.exe	89
PID 3476 wrote to memory of 4092	3476	cmd.exe	93
PID 3476 wrote to memory of 4092	3476	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
"C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /PID 4412
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
    NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

Filesize
99KB

MD5
0ac3e9d59309f599403ac51615bfe41b

SHA1
9041c5562558cb58ac98bd18de3c0ce370a59e1f

SHA256
6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

SHA512
e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
145B

MD5
747232dbd6cc8d17a6300e7f3f57e9d2

SHA1
93e33e22496af593d4b3622c6d363c9a830d18bf

SHA256
0a8b6af2f64876c51b5e47f11a7524d3ca535060e3e4330c536d6a7912135457

SHA512
d3c7a65377354471944e6346de483a69a1b35fbcb10ece5f2a209626b6b3e0ed5b518a770e9f8b13ba67c8e1a539fcac13ec85ea8e21f76c5122344501e3376e

Download Submit