6b1c2f8bbfcaa3788d225aafa3edf378b5a9151b3e6efc9d9b3d0ee23e03b712

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SandboxieInstall3.4402.exe
Size

1.4MB
MD5

95854e5f024e6feb4d29bef921094f08
SHA1

47d6df50a9ae09727418ae13db2c5d2eb3ba3c0e
SHA256

49109d30fe59c6236dcacacf2ebda59d38450e6c2579fbb9cfc2e400436c12e2
SHA512

d9f0bcbd9e0c8b8d4447a041dd5240f7257581b2cd6edae329e72b0f7536985a76b68df0211d889272ee120b23599225c2aea8146cc7c72b9153e6507fc211c3
SSDEEP

24576:6gmP7E//07K4MjCx4SqIFBP+1C+tCuQNy0hj8gSN1NA1o+8MuqZ6Zq2KJwpoTClw:t07K4syyWt/uQM0h8gSPe7pJwpoZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
816	SandboxieInstall-64-bit-259411550.exe

Loads dropped DLL 3 IoCs

pid	Process
3032	SandboxieInstall3.4402.exe
816	SandboxieInstall-64-bit-259411550.exe
816	SandboxieInstall-64-bit-259411550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x0009000000012252-1.dat	nsis_installer_1
behavioral3/files/0x0009000000012252-1.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
816	SandboxieInstall-64-bit-259411550.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28
PID 3032 wrote to memory of 816	3032	SandboxieInstall3.4402.exe	28

C:\Users\Admin\AppData\Local\Temp\SandboxieInstall3.4402.exe
"C:\Users\Admin\AppData\Local\Temp\SandboxieInstall3.4402.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\SandboxieInstall-64-bit-259411550.exe
  "C:\Users\Admin\AppData\Local\Temp\SandboxieInstall3.4402.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SandboxieInstall-64-bit-259411550.exe

Filesize
804KB

MD5
7f597ce8edd6bdf1fa494d451dcf3964

SHA1
d18fb84b14d80ca4bda58b7a8ee8565e2cf2584b

SHA256
0ddcf0c56e5b427e78ab8dbdb2b4d15fdc7517fc5250ccf1edca597e4695720e

SHA512
afa8f19c76a3ab713d578fa6f3c9245a3f6f67b6c7d873af25ec5687f8fa988d2d398593b9bb58b9535a04b219b340f3e763e5f3764e2ddf38ba9b1beba7eecb

Download Submit
\Users\Admin\AppData\Local\Temp\nst50C1.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
\Users\Admin\AppData\Local\Temp\nst50C1.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit