e1fc1bbaf6c3144462068e645b3fdfafcbc3956fc055fbba3e0a2ea2ac11b2ba

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c631b5651a41842151171ee98b155be.exe
Size

75KB
MD5

3c631b5651a41842151171ee98b155be
SHA1

e365837a275b6c79192cd87a3f4c7659987766fb
SHA256

e1fc1bbaf6c3144462068e645b3fdfafcbc3956fc055fbba3e0a2ea2ac11b2ba
SHA512

f86d393c44fdbdc401fbea4e3d5d7482f557d970539e269577554686554b427dfefdbbb8f7fce50b32117b2a7627e3702befe4bd34b95f350e3eb7b13a3e93df
SSDEEP

1536:4MHxqNxd3xtdTfzHyl9X3BJeUjlwYOkJWF3TvIqBNpISL:JHxOdljyj3BJeUjhJWZXHL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	3c631b5651a41842151171ee98b155be.exe
2240	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000012251-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2240	2536	3c631b5651a41842151171ee98b155be.exe	28
PID 2536 wrote to memory of 2240	2536	3c631b5651a41842151171ee98b155be.exe	28
PID 2536 wrote to memory of 2240	2536	3c631b5651a41842151171ee98b155be.exe	28
PID 2536 wrote to memory of 2240	2536	3c631b5651a41842151171ee98b155be.exe	28

C:\Users\Admin\AppData\Local\Temp\3c631b5651a41842151171ee98b155be.exe
"C:\Users\Admin\AppData\Local\Temp\3c631b5651a41842151171ee98b155be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso5F41.tmp\NSISdl.dll

Filesize
72KB

MD5
b13935bfa7a3e43c112bd9fa02f08f28

SHA1
dec4f136057097c412f53c2ae41b80a8ad0c6810

SHA256
796f7efb91904fa4105528e18f6f87e3fdab9a070dabef83e02f9ae375b2b060

SHA512
1b92cde7bf74fc181b4d2602a269ef1f581b75eb67e3e46b256ddaddc153b95ee17d422a56ca04d68eafe61ab468b708f7f3691f3b47c554a67af00d49b2709a

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
75KB

MD5
3c631b5651a41842151171ee98b155be

SHA1
e365837a275b6c79192cd87a3f4c7659987766fb

SHA256
e1fc1bbaf6c3144462068e645b3fdfafcbc3956fc055fbba3e0a2ea2ac11b2ba

SHA512
f86d393c44fdbdc401fbea4e3d5d7482f557d970539e269577554686554b427dfefdbbb8f7fce50b32117b2a7627e3702befe4bd34b95f350e3eb7b13a3e93df

Download Submit
memory/2240-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-14-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2240-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download