d99dd842a22b3fc8e7a353162a8cc13b1ce75c6f053f14d501f084da67d80c5a

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e91d70d9ae99f27248c15e88c6ac160.exe
Size

1.5MB
MD5

3e91d70d9ae99f27248c15e88c6ac160
SHA1

02560311ba7bd86953bf8e8d82488179fab1c775
SHA256

d99dd842a22b3fc8e7a353162a8cc13b1ce75c6f053f14d501f084da67d80c5a
SHA512

a0896f3b9dbef4b182b3f960ba30245e7df57d1ebfa438ef188ff2108a5ccac04ca12fb38f54f431e6f9d882f14f4007724a66b42bfa4f1b668b65d0605379d1
SSDEEP

24576:aVlHvqRSRRVnMngoCGanruCuZZgkdMjdem4vlOcy3xr8d8cgUKck:Oy4Rfn6goCGan6CuZKIqdem4tOZxr8dO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	nchsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2932	3e91d70d9ae99f27248c15e88c6ac160.exe
2932	3e91d70d9ae99f27248c15e88c6ac160.exe
2932	3e91d70d9ae99f27248c15e88c6ac160.exe
2932	3e91d70d9ae99f27248c15e88c6ac160.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	nchsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28
PID 2932 wrote to memory of 2040	2932	3e91d70d9ae99f27248c15e88c6ac160.exe	28

C:\Users\Admin\AppData\Local\Temp\3e91d70d9ae99f27248c15e88c6ac160.exe
"C:\Users\Admin\AppData\Local\Temp\3e91d70d9ae99f27248c15e88c6ac160.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\3e91d70d9ae99f27248c15e88c6ac160.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
1.9MB

MD5
7ccb33f885fb3aac0b38a858d27104e1

SHA1
f899e30626b152b13ba58bc681979a4f5738ff92

SHA256
f4b360734ed070ccb1176e38be7792a25d79b43f6975bbab391aa770814ce9cd

SHA512
36941d7c3d4dcb5b89fb6dc4654b91963550cf7fd46c1e83d55064e276167555393a468bad38cdb5645e49eaf3115e97162390ee2ee4cd5c93d4f347d948a59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
2.0MB

MD5
abd4f2507796fe9841c38318b7f89c72

SHA1
687a58420e3852e6a90192ab27fee9e0d673e238

SHA256
66fc45a0ad898d47b9306b1aa66a6820ae4634c9374178bf8b99ce183eae3c9a

SHA512
014e8a06e78e8c7ad7e25588f857c7f65ddd55b7a4729c4197f44794917d7a58ba1841fdf4e6e2dd9bfdff0f988f87ed5b211eedb1d9de7a1951d16817827bee

Download Submit
\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
3.0MB

MD5
35355e1c9172a7a98ec69b1c5ed95dee

SHA1
e8bc12d10ed2f642326a646e68bbb2f90d8a7a03

SHA256
b88b478fc1a448a6794bb9ba9b3f71f781275f8b177db959ac3b0417caac1c16

SHA512
b4032a9ff44d54fff89b5c4dcd1d321f1798a411c8d7430663c28a6124802650213b2b5a7e78460d7d90d13034e9ed2dfc058f729645795c19e941e72edf926b

Download Submit
\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
2.3MB

MD5
75422ae1bd1303ac75ca3dd308f05680

SHA1
1568c3bbbbf158463d56e22a3e7b2d776338e61e

SHA256
69a8afe6fc4ccaa0b71f2cf5f85e62018dfae4529eefacae4c8ae06989f46ced

SHA512
1c9b31f2ac5cf760d9ca2c8e74a8b9a4ffcf4cd3a62153c2d097a94160a0dd40252ae63f257ba7c11bed5407696c86ad466d4a9081b59a0b3e9da4ca5ec87be5

Download Submit
\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
1.9MB

MD5
5e5d8d082ed946a80a8eaf8bcd12c2a6

SHA1
7377dd6effd9bef0109e3b64e056fe1b240060dc

SHA256
b3221d4e72b4bfee6022d4c59da6ff0470439b3fc394102907ebb0cb4f43a4c6

SHA512
a5d97ad3c073bbec2e4b4e7a5e61d87b823efad757a76d63c4407942cb6ecb43bcb5e6a49d570095e65594ae1d6276a1d660f416e22c48c188073cc67c91a6da

Download Submit
\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe

Filesize
2.0MB

MD5
f077afae0f0d498d16e97c95d91efddd

SHA1
8274b76e68ce16c2d3f9768b54af41676be0cfba

SHA256
37bd4b053e58b48559db38a6d21c6c422cf4673fd297504fa1cb4b22bb4e1ada

SHA512
b83ba5df016f6494c2b8186351d7a8961d968f05caa289e8ae5350db465068065f1644d937b626fcb0e3af8112ee93b943bd8d837c9e5b708496796e73e6236d

Download Submit
memory/2040-23-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2040-24-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download