e597c1588a75c77a9e41413069c649691a4fb8673281df15d98c4f13a6dcd684

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88312d4109d49430e7ade9064ca2d252.exe
Size

82KB
MD5

88312d4109d49430e7ade9064ca2d252
SHA1

8fb506a8792b26437d42cea2999f09dead604260
SHA256

e597c1588a75c77a9e41413069c649691a4fb8673281df15d98c4f13a6dcd684
SHA512

33027e3dcc6cfb0813db96c06f858be01172adf9ba68d9d5d1a8bee27319fede4410b9b0f5bb83795970e06340ad499fbc48b050032ad46f0f290fb9c1f46430
SSDEEP

1536:2EkjY1zy214Qay0DGkJ7qAELVigJvmcpUoJzv5oZaScIB2/D9k:dkjAJ4dDGkJ+AI0Qauzv5oZqT/R

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2380	88312d4109d49430e7ade9064ca2d252.exe
804	Au_.exe
804	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c0000000141c0-5.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 804	2380	88312d4109d49430e7ade9064ca2d252.exe	18
PID 2380 wrote to memory of 804	2380	88312d4109d49430e7ade9064ca2d252.exe	18
PID 2380 wrote to memory of 804	2380	88312d4109d49430e7ade9064ca2d252.exe	18
PID 2380 wrote to memory of 804	2380	88312d4109d49430e7ade9064ca2d252.exe	18

C:\Users\Admin\AppData\Local\Temp\88312d4109d49430e7ade9064ca2d252.exe
"C:\Users\Admin\AppData\Local\Temp\88312d4109d49430e7ade9064ca2d252.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi58D.tmp\ioSpecial.ini

Filesize
600B

MD5
afe1dd5c09d16806fad219ab92584639

SHA1
70dd625487b9bfa8dba602f76d9d5f3852ca7363

SHA256
e64574b7c2a884dd5142bea39fc34cf755f2a05ba9f7118dccbe638c0063f341

SHA512
14afc1011ed1d5077e6debc01eaf03395c77477b5314562fbe24ad23d7a00efd5c94de6dd7bd52c46a8bf3cb26bd26e9d9f57e9bb14f06ec128ad46b92bd4bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
82KB

MD5
88312d4109d49430e7ade9064ca2d252

SHA1
8fb506a8792b26437d42cea2999f09dead604260

SHA256
e597c1588a75c77a9e41413069c649691a4fb8673281df15d98c4f13a6dcd684

SHA512
33027e3dcc6cfb0813db96c06f858be01172adf9ba68d9d5d1a8bee27319fede4410b9b0f5bb83795970e06340ad499fbc48b050032ad46f0f290fb9c1f46430

Download Submit
\Users\Admin\AppData\Local\Temp\nsi58D.tmp\InstallOptions.dll

Filesize
13KB

MD5
d765c492c21689e3d9d61634371fd861

SHA1
ac200933671ae52c9d5544d0e2e8e9144d286c83

SHA256
551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

SHA512
9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi58D.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit