ea96915a70457e88e7eafc7a861bd1f843a6635f7df607bb287cd94312bd07b7

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

792604bc13fd68b6e5c9e937724d6738.exe
Size

74KB
MD5

792604bc13fd68b6e5c9e937724d6738
SHA1

d077807e4ee8564dd2d44ee9b31c2decd36b70c6
SHA256

ea96915a70457e88e7eafc7a861bd1f843a6635f7df607bb287cd94312bd07b7
SHA512

52fdebac91335b3362c9c102e479e98288c236d868f3a0225b306ca7ecd8d2b3d770e6011ad2ab427c62448ccacf7e2e81d97224d93cc6a13951aa5882a56373
SSDEEP

1536:zYTmwVUsW7dtJMHy0DxmJjaaFEaaauFaaaq7aaatGa2NaYjUvaAa/a5avaCjaeVW:ES17XJiDxmJeSlDSsNzQSP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2168	792604bc13fd68b6e5c9e937724d6738.exe
3052	Au_.exe
3052	Au_.exe
3052	Au_.exe
3052	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x002f00000001482e-2.dat	nsis_installer_1
behavioral1/files/0x002f00000001482e-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28
PID 2168 wrote to memory of 3052	2168	792604bc13fd68b6e5c9e937724d6738.exe	28

C:\Users\Admin\AppData\Local\Temp\792604bc13fd68b6e5c9e937724d6738.exe
"C:\Users\Admin\AppData\Local\Temp\792604bc13fd68b6e5c9e937724d6738.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso4B25.tmp\ioSpecial.ini

Filesize
649B

MD5
8d328eff108bd2d5c02465fcb6f43834

SHA1
c89318da1a437de14d88c8b9de9dbb9c2838b8c6

SHA256
b272e56037de6ad7c156e67084649d5298d59237b6895b705846da44770e1a4b

SHA512
b1700dde089425d91248363ad9bc572264ea38fc036fe0ec1b319f3bc8afb6c50cff35bdb2aede318f0fa70cb5de9846793a3cbafbed13a126f9eb8a7ade2e5f

Download Submit
\Users\Admin\AppData\Local\Temp\nso4B25.tmp\InstallOptions.dll

Filesize
14KB

MD5
271b5d1043c4402f08ddeae383f6979c

SHA1
2b88c58aa27bfb4979239579cd65d4c6c67a5295

SHA256
90485cb175686c3e97b32ebf99daa939c1a6f46e7031f71b72b81cd114fd5b51

SHA512
f8bd4b316726f05647162bb52a2aeb4a6cf5ee976fdb7817a3d25b868b83fb482c38d078f01d3a629afb0d6fa6ce409b2b3404398563137e22010074f529c11b

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
74KB

MD5
792604bc13fd68b6e5c9e937724d6738

SHA1
d077807e4ee8564dd2d44ee9b31c2decd36b70c6

SHA256
ea96915a70457e88e7eafc7a861bd1f843a6635f7df607bb287cd94312bd07b7

SHA512
52fdebac91335b3362c9c102e479e98288c236d868f3a0225b306ca7ecd8d2b3d770e6011ad2ab427c62448ccacf7e2e81d97224d93cc6a13951aa5882a56373

Download Submit