Analysis
-
max time kernel
18s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 07:51
Behavioral task
behavioral1
Sample
NLChecker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NLChecker.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
NLChecker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
NLChecker.exe
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
NLChecker.pyc
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
NLChecker.pyc
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
NLChecker.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
NLChecker.pyc
Resource
win11-20240508-en
General
-
Target
NLChecker.pyc
-
Size
14KB
-
MD5
93637bd176c597ba191aaee8f2825478
-
SHA1
30f50e9753f9465c354896476b0a11c4f6fc3799
-
SHA256
6d54497e65d5840d1c00ec973965f6075c71a3db6936338a1cc94cc6ec16ec01
-
SHA512
b4cf2b8e53c74b8fb823c2dac15bea4ecb6823929cc2b9ea2d2c574911b62c190736d69cefd2d6e56cdc7e88b6115f7d6583d9dbdd8d9820450d608dc1bf0935
-
SSDEEP
384:ahz8hCCu3cbNytQStKdbUmKLglPxNeXCqGo:Wz8YCe8ktQStKdbUmKaP2SXo
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2748 AcroRd32.exe 2748 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2868 wrote to memory of 2652 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 2652 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 2652 2868 cmd.exe rundll32.exe PID 2652 wrote to memory of 2748 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2748 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2748 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2748 2652 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5656db2ca74769c26378fcfbca59c09c5
SHA10bd3142ac6182a416d20ffb183f28778755dbd29
SHA25683417067f96e202f5161d4cd94484ad32d242c0ff614357c150b48e20b21b5d4
SHA5120735aaaf1db6fdb145218cf1003a9607e704918aa4d5ef8ecdb2a9913d2edd8c3fa6470610a0a05f1a923bcea0d5f6ad223d8ddcf5ced932be18b367234f9de4