Malware Analysis Report

2024-07-28 05:58

Sample ID 240613-1mlrys1eqf
Target nasm-2.16.03-installer-x64.exe
SHA256 657e1252676cfb26a008835c20a760f731c8e0414469a4ed0f83f0fb059cdd35
Tags
pdf link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

657e1252676cfb26a008835c20a760f731c8e0414469a4ed0f83f0fb059cdd35

Threat Level: Shows suspicious behavior

The file nasm-2.16.03-installer-x64.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pdf link

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

One or more HTTP URLs in PDF identified

Unsigned PE

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:46

Signatures

One or more HTTP URLs in PDF identified

pdf link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:46

Reported

2024-06-13 21:46

Platform

win7-20240508-en

Max time kernel

18s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\NASM\ndisasm.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\VSrules\nasm.rules C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\LICENSE C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasm.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasm.ico C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasmpath.bat C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasmdoc.pdf C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\VSrules\nasm.README C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe

"C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso322A.tmp\UserInfo.dll

MD5 14526f5953a85912872802ae286a787a
SHA1 ea5815e19b07b4e8f3e197e3f6358138e364f290
SHA256 c224f7da273ee3815e462be08fff79b1435eb6e7733e3d4fea5bd95c9f4b1d26
SHA512 483ae7b8e462403f0f4bab367586f41a3ee5dea18d81da39b9c64eb1b89c8b9c78be547789fca4f26700a7a6c55bd65464737efe50dde6ef191e691ae8080d66

\Users\Admin\AppData\Local\Temp\nso322A.tmp\nsDialogs.dll

MD5 8e7a455526283d46300d394522e59f2b
SHA1 182a511fec4806cc886ce3c8170648411ba841b8
SHA256 2a637a57dfe1d492af5003c03feddf4de34c3e10537a849987efd3465aea59b1
SHA512 3f57012aee8118d9d75b988b14a92191593c59a1c51a76569ff94232b25a5c3dc710f5fe4ccfb717ab32d48d51f0755543dc77e4cbabed68061ad18496126e38

\Users\Admin\AppData\Local\Temp\nso322A.tmp\StartMenu.dll

MD5 ac238522827cff2c921d83c76dee76d4
SHA1 ebb4f1f27943b9a47cf94957d4b6a58b2ebe789f
SHA256 95218c916fd8514cfd7fc234d44a5b0930ca5c1c8dd133e0ad18127ce5ed1d8a
SHA512 0f6301b74333aad58a0db469690085fc81a8d9d775d584d2964a33bbdf6b83bafe516f47ebc3908d4f266cde3eb620fcf901f31b9ee7d1197db94baf5885ede8

\Program Files\NASM\nasm.exe

MD5 7a564fd688ae791e69c360c1cf54ad61
SHA1 c0fa0e8f2416f8c99151dcebceba1bb2f3449409
SHA256 a93276636266516421cc9b422f47476c21f7a2949f1ae251556b2f1d33a3be04
SHA512 f4b6e93f189787300bbc551465b49468809cc274d45d3452a5932c74cb1d5466b2491358b2c77f2334faa9dc271551bcf3b965b17e1edf3336d5fc78d4605465

\Program Files\NASM\Uninstall.exe

MD5 5daf94410f68f7ea5beda051c9f23054
SHA1 ae734cf1d623a03fe510c434969743e806ba38d2
SHA256 e94531c8677f86373377e55f55befca0c9becd084f48571db63a87ac154ed04f
SHA512 4bfca2c230fc92abb7db4cd4a6eb7c58a15daa1d5f7ead98096508ef19f626dc7691e59f54ab2a16ae5de364871c2298e40f9e06a10e1998f1aef1b7e55cfa2e

memory/2024-40-0x0000000074AA0000-0x0000000074AAC000-memory.dmp

memory/2024-38-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2024-39-0x0000000074C00000-0x0000000074C0C000-memory.dmp

memory/2024-48-0x0000000000400000-0x00000000005E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:46

Reported

2024-06-13 21:48

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\NASM\LICENSE C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasmpath.bat C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\VSrules\nasm.README C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasm.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\ndisasm.exe C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasm.ico C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\nasmdoc.pdf C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A
File created C:\Program Files\NASM\VSrules\nasm.rules C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe

"C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsqE002.tmp\UserInfo.dll

MD5 14526f5953a85912872802ae286a787a
SHA1 ea5815e19b07b4e8f3e197e3f6358138e364f290
SHA256 c224f7da273ee3815e462be08fff79b1435eb6e7733e3d4fea5bd95c9f4b1d26
SHA512 483ae7b8e462403f0f4bab367586f41a3ee5dea18d81da39b9c64eb1b89c8b9c78be547789fca4f26700a7a6c55bd65464737efe50dde6ef191e691ae8080d66

C:\Users\Admin\AppData\Local\Temp\nsqE002.tmp\nsDialogs.dll

MD5 8e7a455526283d46300d394522e59f2b
SHA1 182a511fec4806cc886ce3c8170648411ba841b8
SHA256 2a637a57dfe1d492af5003c03feddf4de34c3e10537a849987efd3465aea59b1
SHA512 3f57012aee8118d9d75b988b14a92191593c59a1c51a76569ff94232b25a5c3dc710f5fe4ccfb717ab32d48d51f0755543dc77e4cbabed68061ad18496126e38

C:\Users\Admin\AppData\Local\Temp\nsqE002.tmp\StartMenu.dll

MD5 ac238522827cff2c921d83c76dee76d4
SHA1 ebb4f1f27943b9a47cf94957d4b6a58b2ebe789f
SHA256 95218c916fd8514cfd7fc234d44a5b0930ca5c1c8dd133e0ad18127ce5ed1d8a
SHA512 0f6301b74333aad58a0db469690085fc81a8d9d775d584d2964a33bbdf6b83bafe516f47ebc3908d4f266cde3eb620fcf901f31b9ee7d1197db94baf5885ede8

memory/684-14-0x0000000074250000-0x000000007425C000-memory.dmp

memory/684-13-0x0000000074390000-0x000000007439C000-memory.dmp

memory/684-12-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/684-43-0x0000000000400000-0x00000000005E7000-memory.dmp