632e3afccd98120934bce68913c7f8983b79262006325be931ef76fab16225c2

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

9.5MB
MD5

245d42db1c8baca8521b1d7e5d2a3252
SHA1

f49ea656d41572e76a754b712de2188d28f838e4
SHA256

632e3afccd98120934bce68913c7f8983b79262006325be931ef76fab16225c2
SHA512

ace7ffcee6e96f7491a84d716cc2074befe50e321776936b7d15bb7e1c2264c4f980fa627d98d3345dde5888381b84deeae7788d3057361829cb3b527a9dc286
SSDEEP

196608:OBWBwTry7Zx3cA3RNyBpMs5INN75CQLdU1Xmb+Kazzg:OBWBwHy7Zx1R4gUI37J50XmdazU

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2096	tmp.exe
2096	tmp.exe
2096	tmp.exe
2096	tmp.exe
2096	tmp.exe
2096	tmp.exe
2096	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2676	2096	tmp.exe	27
PID 2096 wrote to memory of 2676	2096	tmp.exe	27
PID 2096 wrote to memory of 2676	2096	tmp.exe	27
PID 2096 wrote to memory of 2676	2096	tmp.exe	27

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"ati-Windows\",\"user_id\":\"DA4CF2D3\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-ar-mutaz\",\"install_trackversion\":\"8.8.4.3\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-TGM4BTG393&api_secret=-b-I9VfrR4muDLllouukmA""
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\nsDui.dll

Filesize
3.6MB

MD5
49acf8a23320b121f3a07149a1ec9dd0

SHA1
117ba008ac99b79afdd9ae0a3839be2fe8662c11

SHA256
a94c7412b0f82f46b75110e7ff5d0b501ca1a2f026f87c90d7542d864aa318b1

SHA512
4cc9dadb098fd32727bee7585aaaddb9435cc3993c9a2f00d31f0bf5267bba17326d1b6f87de3130dca04998d6c05294d74cda352e5ed9f16ac1537c98993f7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\GoogleTracingLib.dll

Filesize
44KB

MD5
624a9f37da45b426653a6ae687220138

SHA1
1579138df2bca9d24bf1f30ace8ccdc2e79ffce4

SHA256
ae29ce5e517fa86fc0dbc67c816cb39d568f5c34c9662654d44bffce2b3f1f7f

SHA512
e07a65a204dc253b97c0735f7550bb9b14e3d7ad3d5e7c89cf6dc5753f85e9dad102036c1427a08db27a29c237a886e6c2261162aacdd28e7e188c80f0a3f221

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\msvcp100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAF72.tmp\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit