e2ce136b057db82b5967bc923c861b0a40d6935fe5d7b74cd3cb1db94a0072d7

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148790c33dad176e7430e5a22dbc2b96.exe
Size

83KB
MD5

148790c33dad176e7430e5a22dbc2b96
SHA1

54d3cf0a10873f4b2116ba079bdabc9ddeaa1276
SHA256

e2ce136b057db82b5967bc923c861b0a40d6935fe5d7b74cd3cb1db94a0072d7
SHA512

5b9e1cd9b9bfc4565c093987b4b1908317649ff8987432817f6fb9377817f0ac4fa441345f57ebb265f9ca17c13b8b90193bf81c6b0033dc475b562c3c322ff3
SSDEEP

1536:xpgpHzb9dZVX9fHMvG0D3XJkQJwCOwVpLFBrnsV/9CswxQ93:rgXdZt9P6D3XJVrpm/9p93

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1596	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	148790c33dad176e7430e5a22dbc2b96.exe
1596	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000014177-5.dat	nsis_installer_1
behavioral1/files/0x000b000000014177-5.dat	nsis_installer_2
behavioral1/files/0x000b000000014177-6.dat	nsis_installer_1
behavioral1/files/0x000b000000014177-6.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1596	2480	148790c33dad176e7430e5a22dbc2b96.exe	17
PID 2480 wrote to memory of 1596	2480	148790c33dad176e7430e5a22dbc2b96.exe	17
PID 2480 wrote to memory of 1596	2480	148790c33dad176e7430e5a22dbc2b96.exe	17
PID 2480 wrote to memory of 1596	2480	148790c33dad176e7430e5a22dbc2b96.exe	17

C:\Users\Admin\AppData\Local\Temp\148790c33dad176e7430e5a22dbc2b96.exe
"C:\Users\Admin\AppData\Local\Temp\148790c33dad176e7430e5a22dbc2b96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso29A1.tmp\ioSpecial.ini

Filesize
421B

MD5
c76fe44ff93acbcc0533529176396834

SHA1
4db9d688febe6ed137faee2d0b59f15b3907ada9

SHA256
acbff423404e0d45efb788217d2916d84ad68b44f76436eecfd781dbde8c633a

SHA512
446b94ff4b4b55a8c1e483ff99ca44aacefa6d0faaa6f79f9d2490eb6105a750625ded8a6ce40f05c7a442e0d2153c6d9158af96dc83dc2a029ed619b92f1e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso29A1.tmp\ioSpecial.ini

Filesize
656B

MD5
9ffb2e4bdbec256c5e5fefd343fad7c1

SHA1
7352e55155ce416346a8c3b6976a498cd7fa3e5a

SHA256
f957b8a682598073015054dbc343931d5c3d834f789b7e7f4bfe6b0d9dfab39b

SHA512
fa9a9623ec42b2cb03dc891446741654050c06ddf4141d80655fe5ccc606e76427a4373769d6a151004194dda83fb5c20b29ccd627f9bbd04d1e99731150ddd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
64KB

MD5
e13b1c131b5270aae3c827b4ab545526

SHA1
662db5cb9953ec5afff8a4cbc1b877d212dadd99

SHA256
5055b33052a773b7f75a4b4a791bf7b747cafbd61267ef429704e28b1cb30ff4

SHA512
f2f2e59cffaa3238323a1e200a066eba7cb22cc2840fa97db02e5824d30207f3d70ad2038068e34effc69288f0f5bf5d49ef12600743fa192b365c55c2af9bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
83KB

MD5
148790c33dad176e7430e5a22dbc2b96

SHA1
54d3cf0a10873f4b2116ba079bdabc9ddeaa1276

SHA256
e2ce136b057db82b5967bc923c861b0a40d6935fe5d7b74cd3cb1db94a0072d7

SHA512
5b9e1cd9b9bfc4565c093987b4b1908317649ff8987432817f6fb9377817f0ac4fa441345f57ebb265f9ca17c13b8b90193bf81c6b0033dc475b562c3c322ff3

Download Submit
\Users\Admin\AppData\Local\Temp\nso29A1.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit