Analysis Overview
SHA256
402bef3fa2c40c93e8c4bd23e4605783a172e861e2d542a9f6172858fd438868
Threat Level: Shows suspicious behavior
The file 4a57dc33e1dd8a6ac06309534326430a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 03:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 03:41
Reported
2024-01-08 03:43
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe
"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"
C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe /checkispublisherinstalled
C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
C:\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~2921~2951~~URL Parts Error~~SendRequest Error~EE-D0-D7-A1-BF-98~#~~SendRequest Error~~IE~~
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.northdl4best.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/2124-66-0x0000000000570000-0x000000000058A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\215AppsChecker.exe
| MD5 | 420320e78490a36cf23cb17ffbb13358 |
| SHA1 | fcf1151c22f9b8c9e29ec6387b38e6b040bd196e |
| SHA256 | bc13af4eb6cc4917d617785d7e4ad09f64745a9cf06354833e815e9229ce8dcf |
| SHA512 | fe2774fd095c3a3b51b01a1da1c5fcd49b53f939b647c84cdfd3c243cb74644ca2909971bc87d3e5c8781a93c27ac3ef7691625a024008b4f1ffba4c947cd023 |
\Users\Admin\AppData\Local\Temp\nsi56E7.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
\Users\Admin\AppData\Local\Temp\nsy4F0B.tmp\dlhelpdl.exe
| MD5 | ed169c84a216825a90a03d889285b122 |
| SHA1 | 7a1c3f3e21adc893283260855898f93898c045b7 |
| SHA256 | 9aa109ebfe83d00f979b1ca43069eb72a35bb1dcb6e81c6336983a0db6da2c9a |
| SHA512 | d7cc68c29ed7892a781e2519f921e1627107499da368fbb86e1b3778cdc3d1c0930e7c24d0634f0d477480bbc3cd6cf5c42806e062679c3edd7c2f2f097d176e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 03:41
Reported
2024-01-08 03:44
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1088 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe | C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe |
| PID 1088 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe | C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe |
| PID 1088 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe | C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe
"C:\Users\Admin\AppData\Local\Temp\4a57dc33e1dd8a6ac06309534326430a.exe"
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~2921~2951~~URL Parts Error~~SendRequest Error~DE-9D-3A-49-EF-0E~#~~SendRequest Error~~~~
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1584
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.northdl4best.com | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
memory/1088-71-0x0000000002B00000-0x0000000002B1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll
| MD5 | 0e894133b6e53a20fec5cafda17a6610 |
| SHA1 | 7812be995cbc449d622466d96bcc1e4145c02201 |
| SHA256 | b7240dc8ded4da1ce7c13609c4fc6819d2545ddd2ea02e6e43e148ee64b59bd4 |
| SHA512 | a04468a592cb0636cc41f2d2a15b92db66a06d67e14ff087c0ca24bf641b68718b105cc2c6b783ced4c346a5a1bb584c1bd1866bdd5b0cad8d9fb27b1a2f14fb |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe
| MD5 | 9fb4d5536d6300d8d8caddfa4132e801 |
| SHA1 | a44f3dfb6ea79cef9d91db78fe2a17485998c408 |
| SHA256 | 5585aeca4cbb3882a0deb6431c70aae22af5fe7552ea07088733d1bf8109cb03 |
| SHA512 | 998abf434310d041bb3fb7bcd9fa6c429f9271b741806be5a247b39dc0632e293a8bae5d0911ccb1a0d90d6b02a783571917110d50cd1f00c1425e2c9c98d1bd |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\dlhelpdl.exe
| MD5 | 9797ba82ab34a1c544ebee45d1edf711 |
| SHA1 | 44754625d99b6896e1b9f01d30537f6274730311 |
| SHA256 | 66f806a7c68fa5902a0a7bb20761520350dcfb0ab59c4a2644249d2363bd1070 |
| SHA512 | 1d9ac6cb047c7e580d1a7b2663a09ce6bad50612750edc371374fc241bbfafad03b677b0ad9bc67be89a6c5ea7842202328381c6d815a63ba75c05d89d8b3340 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\intlib.dll
| MD5 | 6789f6f686109a31e8282a64d4710061 |
| SHA1 | d29e63d0c01714d860f59f71c2ad72f2d6aba265 |
| SHA256 | 5e56b042927d13266a4d4bcfc458d29094ea86c771048be81cd4f63e6672a3fd |
| SHA512 | bebde4b8510a66d83d0a2ba7cc90371202fc824c37f72101751640031dc01074d98322230efc4c8815f465db6cd5fea62efdd4323c6c168c4c29a7676c4375f1 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\GetVersion.dll
| MD5 | ad41d2238c7c9c2c0deb3d4a03ba18fd |
| SHA1 | ec3c3dc197d8fc2e73afee1a07b52518b31109ad |
| SHA256 | 1e8f08bb409b72ec8a0f0f954821d1aa61eb0e603de1cbe4885a40d8a13a768c |
| SHA512 | bfb298bbbd9d9a1540c61da6560d0b9d8cdaca800054908f41296e1e9ee947f7c498bf61e6cdf7725f0e5ab687569509d7fbc2bc9ac256993a021e9d513ab652 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
C:\Users\Admin\AppData\Local\Temp\nsb4B42.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |