Analysis
-
max time kernel
102s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 06:39
Behavioral task
behavioral1
Sample
Lithium-Nuker-V2-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lithium-Nuker-V2-main.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Lithium-Nuker-V2-main/Lithium Nuker V2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Lithium-Nuker-V2-main/Lithium Nuker V2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
log.pyc
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
log.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Lithium-Nuker-V2-main/README.md
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Lithium-Nuker-V2-main/README.md
Resource
win10v2004-20240426-en
General
-
Target
Lithium-Nuker-V2-main/README.md
-
Size
100B
-
MD5
fb18f6b70784d27134c9401ec201df12
-
SHA1
fe937f13eee611e5ad3daba578c56007f9598004
-
SHA256
0c34dd5ab9cc9d8a6b1e2b9d404afee445dbd1d22269c432018baae008cd9b1b
-
SHA512
9c337880407c7ddedf270efa8f2e73e1d360a85f1f0dacccbffea6c356385f48b8ebb4ad0b9cca1dc394b6a824084e50662c559b978c6e36d83ed2cbcba74eb7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.md\ = "md_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.md rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\md_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2040 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2040 AcroRd32.exe 2040 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 2756 2204 cmd.exe rundll32.exe PID 2204 wrote to memory of 2756 2204 cmd.exe rundll32.exe PID 2204 wrote to memory of 2756 2204 cmd.exe rundll32.exe PID 2756 wrote to memory of 2040 2756 rundll32.exe AcroRd32.exe PID 2756 wrote to memory of 2040 2756 rundll32.exe AcroRd32.exe PID 2756 wrote to memory of 2040 2756 rundll32.exe AcroRd32.exe PID 2756 wrote to memory of 2040 2756 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Lithium-Nuker-V2-main\README.md1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lithium-Nuker-V2-main\README.md2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lithium-Nuker-V2-main\README.md"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e8b7b1a13e405b84b6497c836985ffd0
SHA1ad986368aa5ba37cc7530224e669fe445888ef2a
SHA256d61a82d824e2798fc2d33576de74f6ce1c3fcae52a5f4d7d7b3cbd0221263724
SHA512861dd8afb379ebef761deca1dae0393f858c64114a1473e98a362542f7c97fa2ac46be59f5a7315d5ec2b87453a727a86b131e0e5c9add05b497f39fc64b932f