Overview

overview

10

Static

static

3

Nursultan 3.0.exe

windows7-x64

10

Nursultan 3.0.exe

windows10-2004-x64

1

Resubmissions

25/07/2024, 14:37 UTC

240725-rzbyvatfmn 10

25/07/2024, 14:37 UTC

240725-ry8lesxarg 10

25/07/2024, 14:37 UTC

240725-ry4mgaxarb 10

25/07/2024, 14:36 UTC

240725-ryx5paxaqd 10

25/07/2024, 14:36 UTC

240725-rytr9stfkj 10

25/07/2024, 14:36 UTC

240725-ryqqlstfjq 10

25/07/2024, 14:36 UTC

240725-rymc7axand 10

25/07/2024, 14:35 UTC

240725-rydfaaterk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nursultan 3.0.exe

  • Size

    347KB

  • Sample

    240725-rymc7axand

  • MD5

    3500fc8f168c23e6170117e6b779ed52

  • SHA1

    0109abb6ff102e3b8f17bfac07f599d787af8663

  • SHA256

    ed2be8c7b8aa15f1e3bc399b9aaadbdbb16374e0be30d0200d4f39998f1f25a8

  • SHA512

    3d1e2600f1e2b077ab24ed017dee2313f14b34a7c193d8db19a93bb3cc6cd95b620b50c2ab300e958afbeea1fa1d133758664282f60b97b583d748baf056e85f

  • SSDEEP

    6144:igpFNojFilyzigCEcL6hl9he6VlWT8b9G3T8JUKvDbwmb0h6XW:T8Ri4h3hPVle84AWcIeXW

Score
10/10
credential_accesspersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      Nursultan 3.0.exe

    • Size

      347KB

    • MD5

      3500fc8f168c23e6170117e6b779ed52

    • SHA1

      0109abb6ff102e3b8f17bfac07f599d787af8663

    • SHA256

      ed2be8c7b8aa15f1e3bc399b9aaadbdbb16374e0be30d0200d4f39998f1f25a8

    • SHA512

      3d1e2600f1e2b077ab24ed017dee2313f14b34a7c193d8db19a93bb3cc6cd95b620b50c2ab300e958afbeea1fa1d133758664282f60b97b583d748baf056e85f

    • SSDEEP

      6144:igpFNojFilyzigCEcL6hl9he6VlWT8b9G3T8JUKvDbwmb0h6XW:T8Ri4h3hPVle84AWcIeXW

    Score
    10/10
    credential_accesspersistenceprivilege_escalationspywarestealer

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.