f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2680	nemu-downloader.exe
2248	ColaBoxChecker.exe
2072	HyperVChecker.exe
1852	HyperVChecker.exe

Loads dropped DLL 16 IoCs

pid	Process
2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2248	ColaBoxChecker.exe
2248	ColaBoxChecker.exe
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
2680	nemu-downloader.exe
2016	Process not Found
2680	nemu-downloader.exe
2908	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2488	taskmgr.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe
2488	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	nemu-downloader.exe
2680	nemu-downloader.exe
2680	nemu-downloader.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2188 wrote to memory of 2680	2188	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	28
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2248	2680	nemu-downloader.exe	32
PID 2680 wrote to memory of 2072	2680	nemu-downloader.exe	37
PID 2680 wrote to memory of 2072	2680	nemu-downloader.exe	37
PID 2680 wrote to memory of 2072	2680	nemu-downloader.exe	37
PID 2680 wrote to memory of 2072	2680	nemu-downloader.exe	37
PID 2680 wrote to memory of 1852	2680	nemu-downloader.exe	39
PID 2680 wrote to memory of 1852	2680	nemu-downloader.exe	39
PID 2680 wrote to memory of 1852	2680	nemu-downloader.exe	39
PID 2680 wrote to memory of 1852	2680	nemu-downloader.exe	39

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\7z6083988C\nemu-downloader.exe
  C:\Users\Admin\AppData\Local\Temp\7z6083988C\nemu-downloader.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\7z6083988C\ColaBoxChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z6083988C\ColaBoxChecker.exe" checker /baseboard
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\7z6083988C\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z6083988C\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\7z6083988C\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z6083988C\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:1852

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z6083988C\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6083988C\baseboard

Filesize
115B

MD5
dd0359545eebf93f7c8b30fec7ed4acb

SHA1
272ea8dbba137b3a203ac2924b123bf5f49bdc99

SHA256
e1630ddc76fa4063437d79284bb09c02bb5bbc44f238d3b3c663cc93f5243e08

SHA512
11e542fe69d54bb36d3fd893f72bc3dd2a633711480563d3c4f3ecdd9bf55d7d301abc2ccae052854d09c1eba20d3e44fc3798a2395d61be43dd1f886489e3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6083988C\config.ini

Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6083988C\skin.zip

Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
\Users\Admin\AppData\Local\Temp\7z6083988C\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
\Users\Admin\AppData\Local\Temp\7z6083988C\nemu-downloader.exe

Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
memory/2488-45-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2488-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2488-73-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/2488-76-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download