Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
Nouveau dossier.7z
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Nouveau dossier.7z
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Nouveau dossier/WinDivert.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Nouveau dossier/WinDivert.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Nouveau dossier/WinDivert64.sys
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
Nouveau dossier/clumsy.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
Nouveau dossier/clumsy.exe
Resource
win10v2004-20240709-en
General
-
Target
Nouveau dossier.7z
-
Size
414KB
-
MD5
8be76a2461a61ec06e7a14f5613cd19d
-
SHA1
f087045a1180890860a105d1ac37c7f040056d99
-
SHA256
6aee4cdeb3263cc306d538c7eeaaaffa48ebb7bfa6e3cbe6641f413def336fbd
-
SHA512
28afc744e78c182dd07572e92a388ada00f738e0d06458c76176e0ea9b68b30ca7edb6b3e4e66d92bc79c08639e7923ff09de7fd2ea9e1d713c78e4c84f9a6af
-
SSDEEP
12288:rHhd0mGwaU4Sq3X6jqHrilpIBwXICCuz5IK:rnz4SGUAri7IBYICR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3692 OpenWith.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe 3692 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Nouveau dossier.7z"1⤵
- Modifies registry class
PID:2384
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3692
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1112