Analysis

  • max time kernel
    117s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 17:57

General

  • Target

    $SYSDIR/$SYSDIR/$_14_.exe

  • Size

    46KB

  • MD5

    df6d2e5ebdd46ea23b355fb891a8b32b

  • SHA1

    4de6309cd966fa4db36c7bd8bba1583fc7025480

  • SHA256

    60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30

  • SHA512

    c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d

  • SSDEEP

    768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0PtYUEXfOJacwUhQVgM:Hu4EQalMK/ewGnh0mJ6rEXf+aqOu5G

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe
    "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsyE939.tmp\validate.ini

    Filesize

    457B

    MD5

    5f77aa7efb59646633c874cabd885d2f

    SHA1

    1313f0960abb2182c1032b33d34e4d48d08a7be2

    SHA256

    c027223edeb491e161284773815e305ccb419ec888e567814638994dbb5fa4b1

    SHA512

    606adc024afdcc738424db823a7950d98edeefc79b097493e395b3617840113478c990c9d1a740d003f32d753e96a7f8abe9b3bb23c160499e8ee6f7670b345a

  • C:\Users\Admin\AppData\Local\Temp\nsyE939.tmp\validate.ini

    Filesize

    509B

    MD5

    fb3c89c8f29fe862df4a4aeba7d8bcec

    SHA1

    a8b0f3ae742264b4aed69c4fd71b2f5aad8cf373

    SHA256

    78ad13e73dfa5b2ed41798e3d6c1f0b0a127f4498c09172aa6cb6b7dcb42c775

    SHA512

    e0d97c901e43685b1540a2b7292f354e48897f10cb26784f86d559ce6a8fbf19ee294d5264b27e5e6c194f62ca6971643cc42debeb1e3bdebc6c886d0ecbecbd

  • \Users\Admin\AppData\Local\Temp\nsyE939.tmp\InstallOptions.dll

    Filesize

    14KB

    MD5

    06bef96b91bfa75b7f7817341a6cd597

    SHA1

    48a40368fc339ccea1dfda06d2e02bca7d7265c1

    SHA256

    2ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364

    SHA512

    5364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d

  • \Users\Admin\AppData\Local\Temp\nsyE939.tmp\System.dll

    Filesize

    10KB

    MD5

    7e3c808299aa2c405dffa864471ddb7f

    SHA1

    b5de7804dd35ed7afd0c3b59d866f1a0749495e0

    SHA256

    91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd

    SHA512

    599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    46KB

    MD5

    df6d2e5ebdd46ea23b355fb891a8b32b

    SHA1

    4de6309cd966fa4db36c7bd8bba1583fc7025480

    SHA256

    60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30

    SHA512

    c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d