d809d65d3c625ce88936bd80d6c3e975b2993413a55ca4eee2864d049647f73e

General

Target

073ceea87902403409a153379d01ca8e.exe
Size

132KB
MD5

073ceea87902403409a153379d01ca8e
SHA1

001e4201241694e38123dd9a66509e6d143ead0d
SHA256

d809d65d3c625ce88936bd80d6c3e975b2993413a55ca4eee2864d049647f73e
SHA512

e6a33c1df556f24af2420c2e8f96b382108f7d7f44f36dfe71b6f5662ee4e184f9714ce9713d9250f2826d19047914fe24e2462c6d9b201310b4e151f9bc5829
SSDEEP

3072:3s5j4nwcnf0W2pFflX7OTaxj+E09L+8mpCC/WnJarW3Rpc1:cV45nMW2pQaxjuqSJrRA

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1896 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

nuak.exe

pid process

1708 nuak.exe
Loads dropped DLL 2 IoCs

Processes:

073ceea87902403409a153379d01ca8e.exe

pid process

2256 073ceea87902403409a153379d01ca8e.exe
2256 073ceea87902403409a153379d01ca8e.exe

pid	process
1896	cmd.exe

pid	process
2256	073ceea87902403409a153379d01ca8e.exe
2256	073ceea87902403409a153379d01ca8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nuak.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2F5FC26E-B09C-AF5A-8C72-43404733D426} = "C:\\Users\\Admin\\AppData\\Roaming\\Saipev\\nuak.exe"	nuak.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

073ceea87902403409a153379d01ca8e.exe

description pid process target process

PID 2256 set thread context of 1896 2256 073ceea87902403409a153379d01ca8e.exe cmd.exe

description	pid	process	target process
PID 2256 set thread context of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

073ceea87902403409a153379d01ca8e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy	073ceea87902403409a153379d01ca8e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	073ceea87902403409a153379d01ca8e.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

nuak.exe

pid	process
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe
1708	nuak.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

073ceea87902403409a153379d01ca8e.exe

description	pid	process
Token: SeSecurityPrivilege	2256	073ceea87902403409a153379d01ca8e.exe
Token: SeSecurityPrivilege	2256	073ceea87902403409a153379d01ca8e.exe
Token: SeSecurityPrivilege	2256	073ceea87902403409a153379d01ca8e.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

073ceea87902403409a153379d01ca8e.exenuak.exe

description	pid	process	target process
PID 2256 wrote to memory of 1708	2256	073ceea87902403409a153379d01ca8e.exe	nuak.exe
PID 2256 wrote to memory of 1708	2256	073ceea87902403409a153379d01ca8e.exe	nuak.exe
PID 2256 wrote to memory of 1708	2256	073ceea87902403409a153379d01ca8e.exe	nuak.exe
PID 2256 wrote to memory of 1708	2256	073ceea87902403409a153379d01ca8e.exe	nuak.exe
PID 1708 wrote to memory of 1280	1708	nuak.exe	taskhost.exe
PID 1708 wrote to memory of 1280	1708	nuak.exe	taskhost.exe
PID 1708 wrote to memory of 1280	1708	nuak.exe	taskhost.exe
PID 1708 wrote to memory of 1280	1708	nuak.exe	taskhost.exe
PID 1708 wrote to memory of 1280	1708	nuak.exe	taskhost.exe
PID 1708 wrote to memory of 1336	1708	nuak.exe	Dwm.exe
PID 1708 wrote to memory of 1336	1708	nuak.exe	Dwm.exe
PID 1708 wrote to memory of 1336	1708	nuak.exe	Dwm.exe
PID 1708 wrote to memory of 1336	1708	nuak.exe	Dwm.exe
PID 1708 wrote to memory of 1336	1708	nuak.exe	Dwm.exe
PID 1708 wrote to memory of 1384	1708	nuak.exe	Explorer.EXE
PID 1708 wrote to memory of 1384	1708	nuak.exe	Explorer.EXE
PID 1708 wrote to memory of 1384	1708	nuak.exe	Explorer.EXE
PID 1708 wrote to memory of 1384	1708	nuak.exe	Explorer.EXE
PID 1708 wrote to memory of 1384	1708	nuak.exe	Explorer.EXE
PID 1708 wrote to memory of 1676	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1676	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1676	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1676	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1676	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 2256	1708	nuak.exe	073ceea87902403409a153379d01ca8e.exe
PID 1708 wrote to memory of 2256	1708	nuak.exe	073ceea87902403409a153379d01ca8e.exe
PID 1708 wrote to memory of 2256	1708	nuak.exe	073ceea87902403409a153379d01ca8e.exe
PID 1708 wrote to memory of 2256	1708	nuak.exe	073ceea87902403409a153379d01ca8e.exe
PID 1708 wrote to memory of 2256	1708	nuak.exe	073ceea87902403409a153379d01ca8e.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 2256 wrote to memory of 1896	2256	073ceea87902403409a153379d01ca8e.exe	cmd.exe
PID 1708 wrote to memory of 1884	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1884	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1884	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1884	1708	nuak.exe	DllHost.exe
PID 1708 wrote to memory of 1884	1708	nuak.exe	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\073ceea87902403409a153379d01ca8e.exe
"C:\Users\Admin\AppData\Local\Temp\073ceea87902403409a153379d01ca8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp61800590.bat"
2⤵
- Deletes itself
PID:1896

C:\Users\Admin\AppData\Roaming\Saipev\nuak.exe
"C:\Users\Admin\AppData\Roaming\Saipev\nuak.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Saipev\nuak.exe
Filesize
92KB

MD5
0b962169a722f4ba6c66c50f8616544e

SHA1
8ec2be9a18cd677dd218b266d1fc1c4e658d81da

SHA256
94d195946d7ffa1b74ff53b292576a97f4d0e7220b25fa418d622b89ee1108ef

SHA512
253dd71e3d11668c383f6a30c2219cb1f6b750298eb2e87d176b08652ec518746e403d9ca6797575d28268255518e839acc6b9dd65a011226b25a08ec2cd4856

Download Submit
\Users\Admin\AppData\Roaming\Saipev\nuak.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1280-10-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/1280-14-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/1280-13-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/1280-12-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/1280-11-0x0000000001FC0000-0x0000000001FE6000-memory.dmp

Filesize
152KB

Download
memory/1336-22-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1336-16-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1336-20-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1336-18-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/1384-26-0x00000000029E0000-0x0000000002A06000-memory.dmp

Filesize
152KB

Download
memory/1384-25-0x00000000029E0000-0x0000000002A06000-memory.dmp

Filesize
152KB

Download
memory/1384-27-0x00000000029E0000-0x0000000002A06000-memory.dmp

Filesize
152KB

Download
memory/1384-28-0x00000000029E0000-0x0000000002A06000-memory.dmp

Filesize
152KB

Download
memory/1676-33-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1676-30-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1676-31-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1676-32-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1896-176-0x0000000077680000-0x0000000077681000-memory.dmp

Filesize
4KB

Download
memory/1896-237-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1896-236-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1896-175-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/2256-66-0x0000000077680000-0x0000000077681000-memory.dmp

Filesize
4KB

Download
memory/2256-56-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-40-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-39-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-37-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-36-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-35-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-44-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-46-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-48-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-50-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-52-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-54-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-62-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-65-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-38-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-74-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-131-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2256-142-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2256-64-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads