e444561b6d35857597dcaca55615c078c76579002039825eb83ab7799a48903b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8665134c70aa1777e0c561e72b4730e6.exe
Size

46KB
MD5

8665134c70aa1777e0c561e72b4730e6
SHA1

a2ed04425c013fb6d785d008f0ad4d23c6048b15
SHA256

e444561b6d35857597dcaca55615c078c76579002039825eb83ab7799a48903b
SHA512

f9a1b44f7bf00ef2da071b84d944fc25ceb1066b40bf0373cbe740dddbb0c954338cd9b70aa8dd50678f6f3ddc1c878be53aaee351c27c817a37f3eb83250144
SSDEEP

768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0OCDE7kCEerjgPt9f5n:Hu4EQalMK/ewGnh0mJ6grjg/fN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
1700	8665134c70aa1777e0c561e72b4730e6.exe
2744	Au_.exe
2744	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x002b0000000186c1-2.dat	nsis_installer_1
behavioral1/files/0x002b0000000186c1-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2744	1700	8665134c70aa1777e0c561e72b4730e6.exe	28
PID 1700 wrote to memory of 2744	1700	8665134c70aa1777e0c561e72b4730e6.exe	28
PID 1700 wrote to memory of 2744	1700	8665134c70aa1777e0c561e72b4730e6.exe	28
PID 1700 wrote to memory of 2744	1700	8665134c70aa1777e0c561e72b4730e6.exe	28

C:\Users\Admin\AppData\Local\Temp\8665134c70aa1777e0c561e72b4730e6.exe
"C:\Users\Admin\AppData\Local\Temp\8665134c70aa1777e0c561e72b4730e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd7320.tmp\validate.ini

Filesize
457B

MD5
d8c921f0d26afe35a09b75c703f80680

SHA1
992bc7bf5438a26f3df868b82e7d75df25401004

SHA256
8486bf5bf1d30d0287be6dfb0192a6b7a7841559d5aeb594807f675979261d91

SHA512
085916fa59897395767bc44b6215e851ffcb0653fe394cd413953298cae8e8b64e8dbfa7ffb4f780281c923e2827c22a4d15be44a9b7b377aab431754e5e601b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7320.tmp\InstallOptions.dll

Filesize
14KB

MD5
06bef96b91bfa75b7f7817341a6cd597

SHA1
48a40368fc339ccea1dfda06d2e02bca7d7265c1

SHA256
2ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364

SHA512
5364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7320.tmp\System.dll

Filesize
10KB

MD5
7e3c808299aa2c405dffa864471ddb7f

SHA1
b5de7804dd35ed7afd0c3b59d866f1a0749495e0

SHA256
91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd

SHA512
599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
46KB

MD5
8665134c70aa1777e0c561e72b4730e6

SHA1
a2ed04425c013fb6d785d008f0ad4d23c6048b15

SHA256
e444561b6d35857597dcaca55615c078c76579002039825eb83ab7799a48903b

SHA512
f9a1b44f7bf00ef2da071b84d944fc25ceb1066b40bf0373cbe740dddbb0c954338cd9b70aa8dd50678f6f3ddc1c878be53aaee351c27c817a37f3eb83250144

Download Submit