Overview
overview
7Static
static
3dc425d638a...d2.exe
windows7-x64
7dc425d638a...d2.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...4_.exe
windows7-x64
7$SYSDIR/$S...4_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/$_8_.dll
windows7-x64
6$TEMP/$_8_.dll
windows10-2004-x64
6Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
dc425d638aaffd968f4d6c20d473d7d2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc425d638aaffd968f4d6c20d473d7d2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$TEMP/$_8_.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/$_8_.dll
Resource
win10v2004-20231215-en
General
-
Target
$SYSDIR/$SYSDIR/$_14_.exe
-
Size
46KB
-
MD5
df6d2e5ebdd46ea23b355fb891a8b32b
-
SHA1
4de6309cd966fa4db36c7bd8bba1583fc7025480
-
SHA256
60d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30
-
SHA512
c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d
-
SSDEEP
768:SSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5TJRn0PtYUEXfOJacwUhQVgM:Hu4EQalMK/ewGnh0mJ6rEXf+aqOu5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2928 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 2928 Au_.exe 2928 Au_.exe 2928 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral6/files/0x0007000000023319-4.dat nsis_installer_1 behavioral6/files/0x0007000000023319-4.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 968 wrote to memory of 2928 968 $_14_.exe 97 PID 968 wrote to memory of 2928 968 $_14_.exe 97 PID 968 wrote to memory of 2928 968 $_14_.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:81⤵PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD506bef96b91bfa75b7f7817341a6cd597
SHA148a40368fc339ccea1dfda06d2e02bca7d7265c1
SHA2562ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364
SHA5125364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d
-
Filesize
10KB
MD57e3c808299aa2c405dffa864471ddb7f
SHA1b5de7804dd35ed7afd0c3b59d866f1a0749495e0
SHA25691c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd
SHA512599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738
-
Filesize
456B
MD5fa08a7f61fc6999543c7cc4527e59eb3
SHA133cd4408b3e4487e8fe87d11207c79c9f8d62202
SHA2566f73104892c494c5bad49723079843d4b5e53d12c3177ee012057bb1aea1c1eb
SHA5127aa82ece162127b033f63424b77e9db0ee3d168c5760075382981423a214f1d6b24e34d33a3e44b9a5c4127bf03441db3d4bb81e19e99934ce1b4a36f38ed983
-
Filesize
46KB
MD5df6d2e5ebdd46ea23b355fb891a8b32b
SHA14de6309cd966fa4db36c7bd8bba1583fc7025480
SHA25660d3b765d3f22edff41197a1785f970ab149673c318457b26a47ea0846425a30
SHA512c928467dd11ae455aaa1a61d944023496af6a8f2bbfa5dcda19b6af46bbeb583c3740c1e85ca26ae6c8990998aadff74b20c4ea715dba59da9bc77a00d754b3d