Overview

overview

4

Static

static

1

Nursultan_Nextgen.zip

windows7-x64

1

Nursultan_Nextgen.zip

windows10-2004-x64

4

Resubmissions

26-07-2024 11:54

240726-n2vbeszckd 4

26-07-2024 11:41

240726-ntvl8avgrp 10

Analysis

  • max time kernel
    162s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan_Nextgen.zip

  • Size

    97.9MB

  • MD5

    9eff264f3d9a7ca42764c9f94d7dd055

  • SHA1

    6b1f4d465908eedf63592f699c6bea8a0075f72b

  • SHA256

    99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e

  • SHA512

    a8a3d256ca210eede32a86bf53fa07e7a14009962826c9b09b511a38f9023a4bec20a810a472eb76c6eab291383913d212826b4dc3e579f82de4e78f54eef5de

  • SSDEEP

    3145728:2/pM+wahZ4nNjMtFpB5TW3oAphPJ+R2PIhxru:2/zlZGYHpB1W3oAphPA2Puu

Score
4/10
defense_evasion

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Nursultan_Nextgen.zip
    1⤵
      PID:1680
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4264
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe"
        1⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1936
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
        1⤵
          PID:4236
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\system32\findstr.exe
            findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
            2⤵
              PID:2084
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
              2⤵
                PID:3084
              • C:\Windows\system32\findstr.exe
                findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                2⤵
                  PID:3700
                • C:\Windows\system32\findstr.exe
                  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                  2⤵
                    PID:4340
                  • C:\Windows\system32\findstr.exe
                    findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                    2⤵
                      PID:3820
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                      2⤵
                      • Hide Artifacts: Ignore Process Interrupts
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4736
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /7
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1620
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat" "
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4572
                    • C:\Windows\system32\findstr.exe
                      findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                      2⤵
                        PID:2800
                      • C:\Windows\system32\findstr.exe
                        findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                        2⤵
                          PID:2184
                        • C:\Windows\system32\findstr.exe
                          findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                          2⤵
                            PID:732
                          • C:\Windows\system32\findstr.exe
                            findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                            2⤵
                              PID:3316
                            • C:\Windows\system32\findstr.exe
                              findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
                              2⤵
                                PID:3068
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                2⤵
                                • Hide Artifacts: Ignore Process Interrupts
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2232

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              3KB

                              MD5

                              0a0b9741cb338c26f1594fb7f83df461

                              SHA1

                              b2fc8014a8629249995bdcc1733e0792260f10c8

                              SHA256

                              14b3616e9b73bbbd70d1cf8032825a1e5d22550590f08c218b7301a44c1d7bd9

                              SHA512

                              cc8cf13f94e23596b7a7ef5f551dd7a7c0ff34122ab4ef95c419460505a3cf07c2e0f843674418ff3a728dfbad842a55f810d3f09fcf11ff5155760a22c7e039

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              ac81f5c6e92439551e3282f0ed742456

                              SHA1

                              df6a6e7bd146ea72bd14d825009c8c376d15a255

                              SHA256

                              437b9739696f38235a1c3b7b3ff0c2b5ba358847eb2eebdfb415d4849207de19

                              SHA512

                              8c749399fe5aac0dbcfcc9def2de78937d8c360e45780600000f910b63e278b5be394d2f81b8272e6574b6d64243379857ccf3c6ff95e73263303514c6570329

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ce4skgff.vlm.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\Desktop\Nursultan Nextgen\kdotDEbKM.bat
                              Filesize

                              179B

                              MD5

                              7102eac9d4a43f01519ced10a85fabfe

                              SHA1

                              4a194aab982ee18f6489913d642e6db9206be107

                              SHA256

                              9e6da0d60270007e846a3e29351ea2f83cc6a3546c059e57f9eacf9e6fa2951d

                              SHA512

                              f19b8c35aa2a672741afa6c858078e849c194b90c4bd7f0560920cf98b6b24625773ee240e7db907889814772d159bc54f396caf37f2cc82ccc6dff16355c1c2

                              Download Submit

                            • C:\Users\Admin\Desktop\Nursultan Nextgen\kdotYKoIC.bat
                              Filesize

                              13B

                              MD5

                              337065424ed27284c55b80741f912713

                              SHA1

                              0e99e1b388ae66a51a8ffeee3448c3509a694db8

                              SHA256

                              4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

                              SHA512

                              d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

                              Download Submit

                            • C:\Users\Admin\Desktop\Nursultan Nextgen\kdotYKoIC.bat
                              Filesize

                              88B

                              MD5

                              280326e0ebc76fd9f809343a611a3621

                              SHA1

                              dce0bee9b26c2359eef7ab82c8a3d43304d7f194

                              SHA256

                              f0bce1970851ce310574dc9903fe19570ae1a199007e7fb5955395b7500f03f5

                              SHA512

                              1096734ef225e575b5c81d0d6c993a049791afd60ae24abc7934f4224408b6f2d1918b23e2f90e39fea6afa147cc90e62abb9d2471822cb80b9e1f2ffab331c5

                              Download Submit

                            • memory/1620-71-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-69-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-70-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-75-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-81-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-80-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-79-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-78-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-77-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1620-76-0x000001D92D680000-0x000001D92D681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4736-66-0x000001BC69840000-0x000001BC69864000-memory.dmp

                              Filesize

                              144KB

                              Download

                            • memory/4736-65-0x000001BC69840000-0x000001BC6986A000-memory.dmp

                              Filesize

                              168KB

                              Download

                            • memory/4736-60-0x000001BC694C0000-0x000001BC694E2000-memory.dmp

                              Filesize

                              136KB

                              Download