47ffb920fceccd76781e0b05fdf7782bd79077966935cefa93ecaba606217fea

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/cont_coolblueads-remove.exe
Size

99KB
MD5

aa3e85010280be2efac3ae7f55f36e23
SHA1

d8dc17711d337a9c81695ec31e7abcae33b00fc9
SHA256

53d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec
SHA512

42d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0
SSDEEP

3072:Wd/vyWmJtkAscJdpDILoRxQHUxe6Gg9m+mDbAi:WX4kAsFo/qUxe6GgUhIi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	cont_coolblueads-remove.exe
1696	Au_.exe
1696	Au_.exe
1696	Au_.exe
1696	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral9/files/0x0006000000016a8a-2.dat	nsis_installer_1
behavioral9/files/0x0006000000016a8a-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28
PID 2296 wrote to memory of 1696	2296	cont_coolblueads-remove.exe	28

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_coolblueads-remove.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy459B.tmp\validate.ini

Filesize
507B

MD5
a1215fc622de1ca8a80329795ea79112

SHA1
b7d3a90a4f180226b78ccee870133bd8701f5798

SHA256
b4b48e1db45f4057b634963fcee89909c241fa17d72f72c4958031f46bf30862

SHA512
46173043fad6dac2c2e5cd5904effad5a06db175d5cef25dc655096cd974c33fb9878f6e575b8235d5e3919abd8cba013c972facf963efbc773b4c443ce92fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy459B.tmp\validate.ini

Filesize
455B

MD5
af1c9e0ed6fe895de5e6ef9a689950d1

SHA1
67988923a64d8f3019d51e1ef63e47bb644b268c

SHA256
0bf9706f5edb22a91c3cb7cd34700fdf87e536ff99623ce243f496445c1ed9f7

SHA512
8d9d2fba3b2aae85e6ee59d972fe3b480bda13e218b51d4db80ac707894cec8b2023eda81d74b0844df4ab061524202901f438386a9b9f36721f71d12fda8b68

Download Submit
\Users\Admin\AppData\Local\Temp\nsy459B.tmp\InstallOptions.dll

Filesize
117KB

MD5
cd6e705cc6992e869f488ab211ac37cb

SHA1
c9c71edd929c15bcf5ee286d4a9e9259d1590eb5

SHA256
44e729371099650904bcd5db0af7fdad6ffc01e336ae464f0bb151f329175292

SHA512
460173bbcff640721e54bb403e1f46d274e649a9db7d3b83d009a7f00354d434874dfdc009679e98cfb05548801b9eee78c25fe17b083fac396087ad3327debf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
99KB

MD5
aa3e85010280be2efac3ae7f55f36e23

SHA1
d8dc17711d337a9c81695ec31e7abcae33b00fc9

SHA256
53d374ec1bb11c708bbd646e3b2c31c0525e910580e9f589291f263837f68aec

SHA512
42d4050a6f41fbef831eb98385c6bdeadb9f0848d48226ef07eccc163c27cfd6a5ac23b3231eb81a4cdc56e313dcfbb01877fc20a1749117d3283bbf424226e0

Download Submit