Overview
overview
7Static
static
3dc425d638a...d2.exe
windows7-x64
7dc425d638a...d2.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...4_.exe
windows7-x64
7$SYSDIR/$S...4_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/$_8_.dll
windows7-x64
6$TEMP/$_8_.dll
windows10-2004-x64
6Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
dc425d638aaffd968f4d6c20d473d7d2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc425d638aaffd968f4d6c20d473d7d2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$TEMP/$_8_.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/$_8_.dll
Resource
win10v2004-20231215-en
General
-
Target
$SYSDIR/$SYSDIR/$_14_.exe
-
Size
46KB
-
MD5
df6d2e5ebdd46ea23b355fb891a8b32b
-
SHA1
4de6309cd966fa4db36c7bd8bba1583fc7025480
-
SHA256
60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30
-
SHA512
c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d
-
SSDEEP
768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0PtYUEXfOJacwUhQVgM:Hu4EQalMK/ewGnh0mJ6rEXf+aqOu5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2548 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 2068 $_14_.exe 2548 Au_.exe 2548 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral5/files/0x0020000000015c73-2.dat nsis_installer_1 behavioral5/files/0x0020000000015c73-2.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2548 2068 $_14_.exe 27 PID 2068 wrote to memory of 2548 2068 $_14_.exe 27 PID 2068 wrote to memory of 2548 2068 $_14_.exe 27 PID 2068 wrote to memory of 2548 2068 $_14_.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457B
MD55f77aa7efb59646633c874cabd885d2f
SHA11313f0960abb2182c1032b33d34e4d48d08a7be2
SHA256c027223edeb491e161284773815e305ccb419ec888e567814638994dbb5fa4b1
SHA512606adc024afdcc738424db823a7950d98edeefc79b097493e395b3617840113478c990c9d1a740d003f32d753e96a7f8abe9b3bb23c160499e8ee6f7670b345a
-
Filesize
509B
MD5fb3c89c8f29fe862df4a4aeba7d8bcec
SHA1a8b0f3ae742264b4aed69c4fd71b2f5aad8cf373
SHA25678ad13e73dfa5b2ed41798e3d6c1f0b0a127f4498c09172aa6cb6b7dcb42c775
SHA512e0d97c901e43685b1540a2b7292f354e48897f10cb26784f86d559ce6a8fbf19ee294d5264b27e5e6c194f62ca6971643cc42debeb1e3bdebc6c886d0ecbecbd
-
Filesize
14KB
MD506bef96b91bfa75b7f7817341a6cd597
SHA148a40368fc339ccea1dfda06d2e02bca7d7265c1
SHA2562ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364
SHA5125364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d
-
Filesize
10KB
MD57e3c808299aa2c405dffa864471ddb7f
SHA1b5de7804dd35ed7afd0c3b59d866f1a0749495e0
SHA25691c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd
SHA512599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738
-
Filesize
46KB
MD5df6d2e5ebdd46ea23b355fb891a8b32b
SHA14de6309cd966fa4db36c7bd8bba1583fc7025480
SHA25660d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30
SHA512c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d