Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:31
Static task
static1
Behavioral task
behavioral1
Sample
74f98fecd901c14d18d495efd582137a.exe
Resource
win7-20231215-en
General
-
Target
74f98fecd901c14d18d495efd582137a.exe
-
Size
39KB
-
MD5
74f98fecd901c14d18d495efd582137a
-
SHA1
899f84b87b300a09c4a86f7ab7758747b51cb676
-
SHA256
54e044b77d423736ae6761114a3bc858e62a905733ad4abcf6f20462fe87af6c
-
SHA512
c8541479d86a4db6b95dd9305eccc34b1782a2c82edbc22d321f1590ed6c6b3ca0a7b65bbca0a5e0fd9518831ba9f60d119beea7f91cd7c6d236f764b248aacb
-
SSDEEP
768:w1uIb84HoQRZ4AYIvPZeRYvfn/aT8Y2IeKVszaQeEg49HHAs:TI8CBT0CZeRy/S/2I7Vs2JE5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nlks.exepid process 4904 nlks.exe -
Drops file in System32 directory 1 IoCs
Processes:
nlks.exedescription ioc process File created C:\Windows\SysWOW64\map\88X600.nmp nlks.exe -
Drops file in Program Files directory 1 IoCs
Processes:
74f98fecd901c14d18d495efd582137a.exedescription ioc process File created \??\c:\Program Files\Internet Explorer\nlks.exe 74f98fecd901c14d18d495efd582137a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
74f98fecd901c14d18d495efd582137a.exedescription pid process target process PID 4424 wrote to memory of 4904 4424 74f98fecd901c14d18d495efd582137a.exe nlks.exe PID 4424 wrote to memory of 4904 4424 74f98fecd901c14d18d495efd582137a.exe nlks.exe PID 4424 wrote to memory of 4904 4424 74f98fecd901c14d18d495efd582137a.exe nlks.exe PID 4424 wrote to memory of 4560 4424 74f98fecd901c14d18d495efd582137a.exe cmd.exe PID 4424 wrote to memory of 4560 4424 74f98fecd901c14d18d495efd582137a.exe cmd.exe PID 4424 wrote to memory of 4560 4424 74f98fecd901c14d18d495efd582137a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f98fecd901c14d18d495efd582137a.exe"C:\Users\Admin\AppData\Local\Temp\74f98fecd901c14d18d495efd582137a.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\Program Files\Internet Explorer\nlks.exe"c:\Program Files\Internet Explorer\nlks.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\Deleteme.bat2⤵PID:4560
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Internet Explorer\nlks.exeFilesize
87KB
MD5209092027d99d5c3eec9ad6076d582ab
SHA19a70b7bde31652593a1febda34c27449f5ec16f6
SHA2566f82a875287b733f4243c5e22787062599f0782856f6b6130c73924c42b78fdc
SHA512e08983f712d4eb5098bb0855d220e280960c0fa9ddabd1e777e81e741dc851f0a235ea7601c0e75543c9f3adca0d74caaf571e1c76a79d624fac7216fcc4e2e1
-
\??\c:\Deleteme.batFilesize
184B
MD52a948407291ce23a9eaf45c4fe112e12
SHA1c89464624237c2e0a1bb58178e0fa6c05d936124
SHA25661ba0c4bfed93cffa19174f01039c90ae325c3ed3a02e05e459aa1c18ea9f6e7
SHA5128b48d062366bc4028156eb7267036c75d13d112a744840e6e0ebb83e1994e1566e7d60f910aeecfaa57d42c6542621fdfe7140bf046697de3709c4caa78a515f
-
memory/4424-0-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4424-9-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4904-5-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4904-8-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB