Overview
overview
7Static
static
32b439a03a7...18.exe
windows7-x64
72b439a03a7...18.exe
windows10-2004-x64
7$PLUGINSDIR/Delay.dll
windows7-x64
3$PLUGINSDIR/Delay.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3Castle Clout 2.exe
windows7-x64
1Castle Clout 2.exe
windows10-2004-x64
1Uninst.exe
windows7-x64
7Uninst.exe
windows10-2004-x64
7$PLUGINSDIR/Delay.dll
windows7-x64
3$PLUGINSDIR/Delay.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 17:19
Static task
static1
Behavioral task
behavioral1
Sample
2b439a03a70011aaae44b6b2b56953188c6607d547b7aa3f5d6924bce9ef5d18.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2b439a03a70011aaae44b6b2b56953188c6607d547b7aa3f5d6924bce9ef5d18.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Delay.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Delay.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Castle Clout 2.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
Castle Clout 2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Uninst.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
Uninst.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/Delay.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/Delay.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20231215-en
General
-
Target
Uninst.exe
-
Size
91KB
-
MD5
4f328289767df4f975169f92c2bb4127
-
SHA1
1a9a93f3209e2713a6c0cab9a54eb78733e24297
-
SHA256
1f9f2a47e8c6ba0adac309cd8bc3fa7858963bfed9ad42c669e194ae0eb13743
-
SHA512
8cd458bd64ccb4636eee355d84519dd9928c51687b59fd9d3e2b38a17f6b68ebd691780537067275c81d0ed05a01e7e59e084616175f6e1192ac01745749342d
-
SSDEEP
1536:UyZMSZFvknTePMZd4k4kJJe+zR5NSO3gaevfPzG+cZWoAN8GYiutIhy67j21v/hr:jZMJnTeM4cJJe+zlwa8fPz49biueh77m
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4560 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 4560 Au_.exe 4560 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral14/files/0x000600000002320a-3.dat nsis_installer_1 behavioral14/files/0x000600000002320a-3.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 968 wrote to memory of 4560 968 Uninst.exe 87 PID 968 wrote to memory of 4560 968 Uninst.exe 87 PID 968 wrote to memory of 4560 968 Uninst.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninst.exe"C:\Users\Admin\AppData\Local\Temp\Uninst.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50dc0cc7a6d9db685bf05a7e5f3ea4781
SHA15d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA2568e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0
-
Filesize
20KB
MD550fdadda3e993688401f6f1108fabdb4
SHA104a9ae55d0fb726be49809582cea41d75bf22a9a
SHA2566d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8
-
Filesize
622B
MD5ab42507d59831c211be08889bdb62a1d
SHA1529486d9462415966f98d5f79475a6d32af5c027
SHA256614c420d9ce72c02a6d66c340e9b88ecece5b309aa05417ba2080ffa4e179f9f
SHA512800b0b9f95b358647f9867427c3796abc0fb4ccefdb8631931cb05ea3ffc2434d97eaea2cba332cd459c2af336cbb8ca7ea10c3cad880f957331ae8a49672fb7
-
Filesize
91KB
MD54f328289767df4f975169f92c2bb4127
SHA11a9a93f3209e2713a6c0cab9a54eb78733e24297
SHA2561f9f2a47e8c6ba0adac309cd8bc3fa7858963bfed9ad42c669e194ae0eb13743
SHA5128cd458bd64ccb4636eee355d84519dd9928c51687b59fd9d3e2b38a17f6b68ebd691780537067275c81d0ed05a01e7e59e084616175f6e1192ac01745749342d