cff69e52d538076b4e171dd763569061651bdbe007cba21370a7d7695d7aa18d

General

Target

0ee2b17105fbd7440f9712f4d1553538.exe
Size

637KB
MD5

0ee2b17105fbd7440f9712f4d1553538
SHA1

a23f9e43626f40384088a7a9af431c90fea011a6
SHA256

cff69e52d538076b4e171dd763569061651bdbe007cba21370a7d7695d7aa18d
SHA512

75f2cb034870c973e734bcddae147bb285e585b756e4dc91f3b3e07ded1c629fee8031f36694f74313ac9d4547434b6e492761e6c21516041bdf6c00fa79a579
SSDEEP

12288:9JWwES1vRTzbtnOPYTlG4lqFL2ayYpj/vrigk2BDb9D5P/drs7nyvn7tlhLBd:npESZDMAl212ExHWi9D9u+lhLL

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	NSIS_setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2860	0ee2b17105fbd7440f9712f4d1553538.exe
3028	NSIS_setup.exe
3028	NSIS_setup.exe
3028	NSIS_setup.exe
3028	NSIS_setup.exe
3028	NSIS_setup.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\pack.epk	0ee2b17105fbd7440f9712f4d1553538.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000016176-10.dat	nsis_installer_1
behavioral1/files/0x0009000000016176-13.dat	nsis_installer_1
behavioral1/files/0x0009000000016176-12.dat	nsis_installer_1
behavioral1/files/0x0009000000016176-11.dat	nsis_installer_1
behavioral1/files/0x0009000000016176-8.dat	nsis_installer_1
behavioral1/files/0x0009000000016176-5.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	NSIS_setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16
PID 2860 wrote to memory of 3028	2860	0ee2b17105fbd7440f9712f4d1553538.exe	16

C:\Users\Admin\AppData\Local\Temp\0ee2b17105fbd7440f9712f4d1553538.exe
"C:\Users\Admin\AppData\Local\Temp\0ee2b17105fbd7440f9712f4d1553538.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\temp\NSIS_setup.exe
  "C:\Windows\temp\NSIS_setup.exe" "/LICFILE=C:\Windows\temp\license.dat" "/MC=C:\Windows\system32\ullbjafowe.exe" "/MCPARAMS=INSTALL:|37||172800"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\NSIS_setup.exe

Filesize
31KB

MD5
9709fc3229ac0b7b2c2044cb10528127

SHA1
4383e3c756953c17c2391c868d50cfc1285f6335

SHA256
4a8f995e55d214a7ef390e7b67f553da48fb531af2f0d94e51205e0b974c5367

SHA512
7aa08b0f2efc9b43c2fd5add4e6d6f7f9287834915fd4df03c197c0fe9990e7d803ef2f79d4a5f10c30be4d6dc1efde056989f6080de27edfe2d406535e6d439

Download Submit
C:\Windows\temp\NSIS_setup.exe

Filesize
18KB

MD5
a0cab44afb43cd9e6d749140408b3153

SHA1
ab4310020c14b5642a527e463880ba31c70086a7

SHA256
480d1836b15992d6d26e96ee20532c9dbabf9f9a6aa7fd773c031132ff188097

SHA512
5da1ff10fd5bb706dee0b72853c7a87e7485410c00974a7926a72419450483f802e492295953fc2122086ffd4a76a00c9beb673fd2496720abdc9c7b9ab9e3bc

Download Submit
\Users\Admin\AppData\Local\Temp\nst14BB.tmp\LangDLL.dll

Filesize
5KB

MD5
8be27f3bdec2b49d0a6a674716622304

SHA1
70d17db576ed484a4c0195571118d307fd4dc1b9

SHA256
4fe0a8391574867d8bdc6fb33555d90e02796563f02d1e6536acc3294a85bd47

SHA512
add9f37dd0d7a27f19d172c82599a79d049385c12cdfb78745ce2b0685ecea8f85c718bd62ecd671bbed949529429500853534b63226809e707ad3745a8fc801

Download Submit
\Windows\Temp\NSIS_setup.exe

Filesize
25KB

MD5
081abb86036d9c0744568f190dfc66f8

SHA1
0754026d7b003f0e944481ea9428fc6358f1c7c3

SHA256
72819db24b9a0d6f52a33bbae5f0d6e6d38625cde1252a46ff6c347e959ba015

SHA512
b2d0f25922fe44bbf927221ef9cc9ffdae1217c8b2ce3c67db189070424d4a1304aacf1b70edf40dd5e1d9d2004119afb0e966140321e7790015aee89c5314ed

Download Submit
\Windows\Temp\NSIS_setup.exe

Filesize
15KB

MD5
d7660149101096921428380815147da6

SHA1
d955c0eb079dac9a4e066d22e953a9bb2afcc171

SHA256
4572cb92a3913862f6f934c9f4cd9afe6c53b4ea1aadb1875842b2d8d9e8686d

SHA512
3043b9cbd99c2c0fb4f8025f5c66a9af23b9f2c0e86cc9ec8a0545cdae5231bc9d87f9f3a755c91e7c13db28c2dec9008c5875247a4ee5eab37ecaee4f10c25b

Download Submit
\Windows\Temp\NSIS_setup.exe

Filesize
18KB

MD5
838d91af8c7c0904aa3ef9d5a781b90c

SHA1
d3307cfbba2eff2793473d471bd8702676115222

SHA256
44b89a79d6a3046cefe9a04ff9b629a44b405374640d00f2ca120cdfd123f689

SHA512
97eea62f1ae5c4419a66e7b5ae0e86f4596c8e062a36f7c350cc29acf140fba921050310f1252240a6a5785b2f3641139ba1da2b96572c21ebec59cb2d7bef4b

Download Submit
\Windows\Temp\NSIS_setup.exe

Filesize
78KB

MD5
20d78aa32f74440399604aa4edbbd520

SHA1
4c281ab5070b65c647b4ea6b4790bd53ddf63545

SHA256
b2c4f2a7be3f46284396ad9a961d4cc8516b364209a5be47fdea56253db3f392

SHA512
30873ece0a68571e0ea5fffc880cc58b3cdd286bba27c9242c2214aae4c7767359ddd68b80fd250e58c987af071826d9a4fb550508ac2953cfc1f307327dd298

Download Submit
memory/2860-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing