211de1f5d7f8846b8ee917e80ea240e2f191470b552793060f00d4186729d01f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

408ecefa674db829f36cac1888d76b77.exe
Size

183KB
MD5

408ecefa674db829f36cac1888d76b77
SHA1

31e0c9126951b6834b6d2557a4d2ffbddade3c45
SHA256

211de1f5d7f8846b8ee917e80ea240e2f191470b552793060f00d4186729d01f
SHA512

11301018d8199cdbbd605b5ef1309bcc435bce6a3bc70e05286c78305b96aaf7deed1421510f630c0b91789c87df7e21b137fd7653427cff142b0c995cb45ed1
SSDEEP

3072:F8s1Gp7KusHaC7L2p9uHoM4W8uAI0fLUl1D3VR6rorha280dO70vUn+2pek:23pZ07L+uqXI0Al1zVRjrh3Q7eQpek

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1252	northstar.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	408ecefa674db829f36cac1888d76b77.exe
2212	408ecefa674db829f36cac1888d76b77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1252	northstar.exe
1252	northstar.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1252	2212	408ecefa674db829f36cac1888d76b77.exe	28
PID 2212 wrote to memory of 1252	2212	408ecefa674db829f36cac1888d76b77.exe	28
PID 2212 wrote to memory of 1252	2212	408ecefa674db829f36cac1888d76b77.exe	28
PID 2212 wrote to memory of 1252	2212	408ecefa674db829f36cac1888d76b77.exe	28

C:\Users\Admin\AppData\Local\Temp\408ecefa674db829f36cac1888d76b77.exe
"C:\Users\Admin\AppData\Local\Temp\408ecefa674db829f36cac1888d76b77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\nsoA8E.tmp\northstar.exe
  C:\Users\Admin\AppData\Local\Temp\nsoA8E.tmp\northstar.exe /dT201303151726 /e49278 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoA8E.tmp\VPatch.dll

Filesize
10KB

MD5
20ee82203544c4f831a7dc1650e7ec51

SHA1
671affb8e32f06777483782197173af254e02548

SHA256
69a00c14562ea5a71f6196b307292fa6d8b1a2fc02368020f40c84b3b0a1a83a

SHA512
4dabcc0cfebb36cfe57fa05777224f45c04c84031cfecf4184bd95d2b148ce18a6c91655320e69c1709e740a261e1e25effc8395fed91d0fc61b18f9a9f7685f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8E.tmp\northstar.exe

Filesize
257KB

MD5
a40a5b00d7dd024a86e68ed81e10fa8e

SHA1
0f963221c3d9d0d87706aed31bc71e230d964e5a

SHA256
a725b4ec4d6df49c641aa8e7523b1610b6c3de0fcff48ee599f213f7bd9aae0d

SHA512
0855142d38fb3debce5ba9cbb46f8fc7dbac4868f3da863c6eb0bc715943f47f4e40f3674f846d1b4da8a63fd45e5771bb38d8b7eba710674693320a942a1d0f

Download Submit
memory/1252-15-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-16-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1252-17-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-19-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1252-18-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1252-20-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download