318f23065d4354ca3c73fe2f09c2b28e9167019690ae96b45be1737d9a2cddd7

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/$SYSDIR/$_14_.exe
Size

47KB
MD5

f6ace57f67e9e094acd1d983302ad3e7
SHA1

781595f98cb313def394ddb7498e8c7e59fb6b48
SHA256

4d5e4ab9f051364964008b0c45f89857cd5a29f2794d53256ec7c4321182b134
SHA512

2583afcb84332245a30489e91affb8ef8d3e5d73e16ac73ea7cbf210c15cda1355f1910aab75506c95901d6d67d5736f7cb16dcbb75c827672679b3b28ec32fa
SSDEEP

768:CNV60pic8jAQVSISj980nSwRdxi4XAfF/O71mJSJRn2ZaIgutAdAOxnER8BDaq:sFicEAwSIknNAUmJHJgutLOxERkD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2008	$_14_.exe
2040	Au_.exe
2040	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral5/files/0x0031000000016fe9-2.dat	nsis_installer_1
behavioral5/files/0x0031000000016fe9-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2040	2008	$_14_.exe	28
PID 2008 wrote to memory of 2040	2008	$_14_.exe	28
PID 2008 wrote to memory of 2040	2008	$_14_.exe	28
PID 2008 wrote to memory of 2040	2008	$_14_.exe	28

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst710E.tmp\validate.ini

Filesize
457B

MD5
282b3cd64450c46a1425481f69a73e18

SHA1
10ac0c5ce2fdebc682b7eef4a5aaede35d0ca0f5

SHA256
25842c9c526b37a33e317aeaa50be75988a5c9d35c4ddc711bfcd7c86bc318ad

SHA512
830588ce6dadf469e672fc74ee856c6d031432f59c08b62fd5a13450d5436334a68c627e9e370e099509d3ac867618a8faa6b8b0750743d598be885613afe591

Download Submit
\Users\Admin\AppData\Local\Temp\nst710E.tmp\InstallOptions.dll

Filesize
14KB

MD5
0285eac59530ff5cc91fe2634b4ed78e

SHA1
241c12aefca0740e776362f30aa1edffd66d6bdc

SHA256
44c822afaa4cc7cb95390eaa0ada076d280d3455870569f0cde03637257d9899

SHA512
1007fbfb82d4e6c04bd5fefb32cd81f4406022ceef4d409eda0f0ddeb8b1f124a2baec86498bc119778e0c241fc41b0c2440d8a8f6731a63ede936be94f81297

Download Submit
\Users\Admin\AppData\Local\Temp\nst710E.tmp\System.dll

Filesize
11KB

MD5
68edaafef887c72f0d85d4d64b6cbf52

SHA1
77c1fb3301d6eea2e882bc387af1a017678c58da

SHA256
7d8ce82f2b89f544ed90cc8febfcfa57b32d2c8600bb77f79bc8d8980f0f7477

SHA512
e1e6b45fd47553d8e72cf15faa8572d6cf3f0a5495a34f7cb63a2307502282e69d482db42f8a760feaa890a0dc9539e9661fea8179e4d6e18e1c90092b06d4b9

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
47KB

MD5
f6ace57f67e9e094acd1d983302ad3e7

SHA1
781595f98cb313def394ddb7498e8c7e59fb6b48

SHA256
4d5e4ab9f051364964008b0c45f89857cd5a29f2794d53256ec7c4321182b134

SHA512
2583afcb84332245a30489e91affb8ef8d3e5d73e16ac73ea7cbf210c15cda1355f1910aab75506c95901d6d67d5736f7cb16dcbb75c827672679b3b28ec32fa

Download Submit