Analysis

  • max time kernel
    153s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 17:57

General

  • Target

    $SYSDIR/$SYSDIR/$_14_.exe

  • Size

    46KB

  • MD5

    df6d2e5ebdd46ea23b355fb891a8b32b

  • SHA1

    4de6309cd966fa4db36c7bd8bba1583fc7025480

  • SHA256

    60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30

  • SHA512

    c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d

  • SSDEEP

    768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0PtYUEXfOJacwUhQVgM:Hu4EQalMK/ewGnh0mJ6rEXf+aqOu5G

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe
    "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2928
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsj33A.tmp\InstallOptions.dll

      Filesize

      14KB

      MD5

      06bef96b91bfa75b7f7817341a6cd597

      SHA1

      48a40368fc339ccea1dfda06d2e02bca7d7265c1

      SHA256

      2ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364

      SHA512

      5364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d

    • C:\Users\Admin\AppData\Local\Temp\nsj33A.tmp\System.dll

      Filesize

      10KB

      MD5

      7e3c808299aa2c405dffa864471ddb7f

      SHA1

      b5de7804dd35ed7afd0c3b59d866f1a0749495e0

      SHA256

      91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd

      SHA512

      599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

    • C:\Users\Admin\AppData\Local\Temp\nsj33A.tmp\validate.ini

      Filesize

      456B

      MD5

      fa08a7f61fc6999543c7cc4527e59eb3

      SHA1

      33cd4408b3e4487e8fe87d11207c79c9f8d62202

      SHA256

      6f73104892c494c5bad49723079843d4b5e53d12c3177ee012057bb1aea1c1eb

      SHA512

      7aa82ece162127b033f63424b77e9db0ee3d168c5760075382981423a214f1d6b24e34d33a3e44b9a5c4127bf03441db3d4bb81e19e99934ce1b4a36f38ed983

    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

      Filesize

      46KB

      MD5

      df6d2e5ebdd46ea23b355fb891a8b32b

      SHA1

      4de6309cd966fa4db36c7bd8bba1583fc7025480

      SHA256

      60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30

      SHA512

      c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d