dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e

Analysis

max time kernel
156s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b4c2474ab43b101158dc9249d625471.exe
Size

185KB
MD5

6b4c2474ab43b101158dc9249d625471
SHA1

e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5
SHA256

dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e
SHA512

6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef
SSDEEP

3072:3Lk395hYXJiCvwgK4vb6Y8cd9AcRkqNeyar1gplOJGnf+KbkbDAyyDggo2aD3OB9:3QqltvvWY8WRkdyahgpoJGnlkbyDggCS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3140	Au_.exe
3248	nsv730.tmp.exe
3564	GLB7DB.tmp

Loads dropped DLL 1 IoCs

pid	Process
3564	GLB7DB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023222-2.dat	nsis_installer_1
behavioral2/files/0x0006000000023222-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3140	4040	6b4c2474ab43b101158dc9249d625471.exe	93
PID 4040 wrote to memory of 3140	4040	6b4c2474ab43b101158dc9249d625471.exe	93
PID 4040 wrote to memory of 3140	4040	6b4c2474ab43b101158dc9249d625471.exe	93
PID 3140 wrote to memory of 3248	3140	Au_.exe	94
PID 3140 wrote to memory of 3248	3140	Au_.exe	94
PID 3140 wrote to memory of 3248	3140	Au_.exe	94
PID 3248 wrote to memory of 3564	3248	nsv730.tmp.exe	95
PID 3248 wrote to memory of 3564	3248	nsv730.tmp.exe	95
PID 3248 wrote to memory of 3564	3248	nsv730.tmp.exe	95

C:\Users\Admin\AppData\Local\Temp\6b4c2474ab43b101158dc9249d625471.exe
"C:\Users\Admin\AppData\Local\Temp\6b4c2474ab43b101158dc9249d625471.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\nsv730.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\nsv730.tmp.exe" -ORIGINAL_DIR=C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\GLB7DB.tmp
      C:\Users\Admin\AppData\Local\Temp\GLB7DB.tmp -ORIGINAL_DIR=C:\Users\Admin\AppData\Local\Temp4736 C:\Users\Admin\AppData\Local\Temp\NSV730~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLB7DB.tmp

Filesize
70KB

MD5
1b0a583f2e71dd6c1e14dee4403eacdc

SHA1
06a5e4298b6e44105db36f26e9d36b42a2082f43

SHA256
2eba6488820105baab496bf9e7c773b0afaada2e11ce56c56c8b91aec30322cf

SHA512
253d6cf2df8af6bf6bfa81ab9dc3b7204250af817eed02d327452f3e9664eccd1df681c86dae6f0800d7d34698e0ad4d41d49e84cc71adba3a2dd06e64aff216

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC8B5.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv730.tmp.exe

Filesize
160KB

MD5
924d60b7c0018a7f9184752297b0c369

SHA1
9ac011f3ef9987574f2a4ce8d0a3117490ae80bd

SHA256
8b5e9d194609a4632af2ed14f2c330d21aea34f2af17c7706bbe16cad33b8fd4

SHA512
eb31ebe95194a4b4ae1325198e776f8cc47ec79d7d23250211a106e5d874e07dd68ee8d2582ece225d55aaca79090ad4ef6267cdbeca7102edb22806e3b94fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
185KB

MD5
6b4c2474ab43b101158dc9249d625471

SHA1
e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5

SHA256
dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e

SHA512
6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef

Download Submit