47ffb920fceccd76781e0b05fdf7782bd79077966935cefa93ecaba606217fea

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/cont_coolblueads-remove.exe
Size

99KB
MD5

aa3e85010280be2efac3ae7f55f36e23
SHA1

d8dc17711d337a9c81695ec31e7abcae33b00fc9
SHA256

53d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec
SHA512

42d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0
SSDEEP

3072:Wd/vyWmJtkAscJdpDILoRxQHUxe6Gg9m+mDbAi:WX4kAsFo/qUxe6GgUhIi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3188	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
3188	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral10/files/0x0007000000023435-4.dat	nsis_installer_1
behavioral10/files/0x0007000000023435-4.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3188	4852	cont_coolblueads-remove.exe	84
PID 4852 wrote to memory of 3188	4852	cont_coolblueads-remove.exe	84
PID 4852 wrote to memory of 3188	4852	cont_coolblueads-remove.exe	84

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq87C1.tmp\InstallOptions.dll

Filesize
117KB

MD5
cd6e705cc6992e869f488ab211ac37cb

SHA1
c9c71edd929c15bcf5ee286d4a9e9259d1590eb5

SHA256
44e729371099650904bcd5db0af7fdad6ffc01e336ae464f0bb151f329175292

SHA512
460173bbcff640721e54bb403e1f46d274e649a9db7d3b83d009a7f00354d434874dfdc009679e98cfb05548801b9eee78c25fe17b083fac396087ad3327debf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq87C1.tmp\validate.ini

Filesize
455B

MD5
f3f50872811c27d8641e751e66181765

SHA1
18f670200bb77ed57aac5aeafe86fb74ec5bcbfe

SHA256
8af8de8af9eb8801263e95069a4d339eb2920d6a3d1fe89297495b2af4f63980

SHA512
5ea6655492ac93a16379f9a56a814bd2125b0d49babfd6f965991b9f53a2fbc4dd9e6a3f7d78d5c69b173a77de175a83b47013a448e1444e134f5602a77ca1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq87C1.tmp\validate.ini

Filesize
507B

MD5
750e564b420aff5a4162edc0cbfcb96b

SHA1
ab64eb60f1f9b8104ca20e3d40173d01e4493ded

SHA256
9bb6e0b86d30572555695db8bfcd1ff4f75c5c2ef209581aed207285611225dd

SHA512
1bcbdb6abf7e19baff8d5e4664e6efc5ffefe7b8bdf687880115a60bce5cce90415a37c32c2a264f8570bd37667ecab952fcb75c6a0d0bd16a394a83c1ff6671

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
99KB

MD5
aa3e85010280be2efac3ae7f55f36e23

SHA1
d8dc17711d337a9c81695ec31e7abcae33b00fc9

SHA256
53d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec

SHA512
42d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0

Download Submit