Overview

overview

7

Static

static

3

702d28a918...e0.exe

windows7-x64

7

702d28a918...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2023 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    702d28a918a048d292d1f0bd7d7963da047b4920b3ac7b16daa043f9701f42e0.exe

  • Size

    3.2MB

  • MD5

    238a6a9df3087cc33a6c76433e89ae7b

  • SHA1

    10cd4fb4f53c76c46c7550e8240c7da50680eec6

  • SHA256

    702d28a918a048d292d1f0bd7d7963da047b4920b3ac7b16daa043f9701f42e0

  • SHA512

    c230be86800d50169b84afe39e5e0ff7599e731af466853c7f6d4093354c6259fbbfcb8a283b99b7ce08ee758d14e0272bafff1c124f07d3f951653cd1b55646

  • SSDEEP

    49152:YxdVJwZrWzElHkm7xAfovAF6RKcwSx+29uWV9D489V:YxRjzElE2AAvAF6RKx291PM+V

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\702d28a918a048d292d1f0bd7d7963da047b4920b3ac7b16daa043f9701f42e0.exe
    "C:\Users\Admin\AppData\Local\Temp\702d28a918a048d292d1f0bd7d7963da047b4920b3ac7b16daa043f9701f42e0.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\taskkill.exe
        TASKKILL /F /PID 2800
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
        NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\702d28a918a048d292d1f0bd7d7963da047b4920b3ac7b16daa043f9701f42e0.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
    Filesize

    99KB

    MD5

    0ac3e9d59309f599403ac51615bfe41b

    SHA1

    9041c5562558cb58ac98bd18de3c0ce370a59e1f

    SHA256

    6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

    SHA512

    e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    145B

    MD5

    951b46ed6006b06aed94c27405e8e087

    SHA1

    ce35b6c050c4078bca7c232f1dc1eb438b1c6269

    SHA256

    54ec0bd68d24075c42a1315f5c9a83d4043c37a18cf0b308d33e89ea7bd1086a

    SHA512

    c1cbe8b26350a245fc510fe3fc4b035c694463f27d843ae9a1f189b21600a61ffbc71500bf2c1b4b6dc9fb17cca8870f7794162d3cec68a5d9f3db780ad683cd

    Download Submit

  • memory/2800-0-0x0000000000400000-0x000000000077D000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2800-15-0x0000000000400000-0x000000000077D000-memory.dmp

    Filesize

    3.5MB

    Download