9060e8eef770da46598eda8d5b38f5ed66c0216cf1d34e1a6bc7c8ecc47991e5

Analysis

max time kernel
100s
max time network
16s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan.exe
Size

11.6MB
MD5

cab2bb07f49101514b776de08326fa1c
SHA1

643c0b0e105e764051cc57371530be3bf9231e54
SHA256

9060e8eef770da46598eda8d5b38f5ed66c0216cf1d34e1a6bc7c8ecc47991e5
SHA512

bdf3dd0547d5ce2a08a150e8a0ad174067bd3d1b61ab300286e9769dcc65495e1d332b9da84b82a07c38e72cd715728527871bf504fbff570edda00dacb2fdfe
SSDEEP

196608:AhT6sIDRuNyGLPAW0SwLRXgWPmpzdhqiMeNvX+wfm/pf+xfdiTWRZyTlKsnSrwWH:rsSjGUW05L1V8dfvX+9/pWF0CRGAsnSn

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2432	Nursultan.exe
2432	Nursultan.exe
2432	Nursultan.exe
2432	Nursultan.exe
2432	Nursultan.exe
2432	Nursultan.exe
2432	Nursultan.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000190b3-92.dat	upx
behavioral1/memory/2432-94-0x000007FEF59D0000-0x000007FEF5FB8000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	Nursultan.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2432	1640	Nursultan.exe	28
PID 1640 wrote to memory of 2432	1640	Nursultan.exe	28
PID 1640 wrote to memory of 2432	1640	Nursultan.exe	28

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16402\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5e2a9b9d83d943c4af82b6dc829bfe97

SHA1
22654769e7c79f1aa0e96a4c16dcb9ef865737aa

SHA256
902ffc6e350772803ac35568364005c09be5c5e5d3f18038e46e9316aed217ef

SHA512
d4a018aed49c84706038e118058832fe26d2727445bd6f4798ba9548f8afc5e746bde7a7329b0be5ddd106707983783932e7351b101cb729070b68c91c660ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
17468cdcf52d507d7d1a740323bad663

SHA1
c647494e52d5dde86bde8d850b1a49cd17024ade

SHA256
ae7f15d92e43bfb351363d149c89a0fad8453e2b2d08fdcb4d224c535a648fa1

SHA512
fef4616c4fd1521ca500fda0fac947e96a4b89b48c98847b23f42c6e8a34073076a39bcece01f19c546d0a734a9b688948fc34d425fd1ef36dffc378335881ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
3991a12b40096a59d48a95b54ad1c812

SHA1
464da16182fd1053f4633b29e83d9afdfc39f1e1

SHA256
2ee4d131e5492a9980efa47ae5a9e1aad3d5bccb062c26d28cb0c9559e973481

SHA512
5bfd17e39c4ff999db7f36fe2dd044df346f1ea352098b4e3033c7ff8c382d7f2897c46ad543266d72a29561b984667c8d0dc1d2a163e3fab67bbaf10ae17085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
7922c25a9a206110d298eb1adb747dd7

SHA1
c4431817fbc6d39b6504c121a8775f174f6cb9d3

SHA256
0528474ae1b64b2ef0089b87d53d84a36b5792c381ea9459ceda87a29c5abb2a

SHA512
f90f86d6ccd18ddf292115a8a45a22248683460a8b90d371d42d5274f596bd91c4ef4b62531e00ea304cb99b239c6b7bd50d0a39db45e539649ff6622cfaa48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
8e0be9b6baceb5babc308039618870e5

SHA1
515d98afb7d0c17861bc87b83d553d4e80ecf8fb

SHA256
83ea1b0e636eac733c221a4fff4ab19371d8dacb8e80fa8295d86fe72bd2942c

SHA512
b14755c0192560f3c535895d7013eb39e62f2d17a26747518828bed5a17668932e6ea60d00d9a798298cf3a391c0c48b3de23207a2b64e1e79b6f93fb5a1a249

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16402\ucrtbase.dll

Filesize
986KB

MD5
1268674e0227fba666728f77e9ba01bd

SHA1
bfb0c3b94319d2e524a0b9246b45edbd3f90c3da

SHA256
6dada6c2ae69c792cfb3e90aac122810052d845ce875364bde885eef4f8fe9c4

SHA512
82a7956ebbd491294728ffb07f7d7effac44578bf4fb579449e129fca007271d5c211fe17e195c419c813280f2abe229fdfe805221e0325305e71ea04a361b50

Download Submit
memory/2432-94-0x000007FEF59D0000-0x000007FEF5FB8000-memory.dmp

Filesize
5.9MB

Download
memory/2432-95-0x000007FEF59D0000-0x000007FEF5FB8000-memory.dmp

Filesize
5.9MB

Download