f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Executes dropped EXE 7 IoCs

pid	Process
2768	nemu-downloader.exe
2760	ColaBoxChecker.exe
1312	HyperVChecker.exe
3020	HyperVChecker.exe
2144	7z.exe
2748	HyperVChecker.exe
1936	7z.exe

Loads dropped DLL 27 IoCs

pid	Process
2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2760	ColaBoxChecker.exe
2760	ColaBoxChecker.exe
2768	nemu-downloader.exe
1960	Process not Found
2768	nemu-downloader.exe
2300	Process not Found
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2144	7z.exe
2144	7z.exe
2144	7z.exe
2768	nemu-downloader.exe
2600	Process not Found
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
2768	nemu-downloader.exe
1936	7z.exe
1936	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2112	2768	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe

Office loads VBA resources, possible macro or embedded object present

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	nemu-downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	nemu-downloader.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1136	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	nemu-downloader.exe
2768	nemu-downloader.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2144	7z.exe
Token: 35	2144	7z.exe
Token: SeSecurityPrivilege	2144	7z.exe
Token: SeSecurityPrivilege	2144	7z.exe
Token: SeRestorePrivilege	1936	7z.exe
Token: 35	1936	7z.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1136	WINWORD.EXE
1136	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2852 wrote to memory of 2768	2852	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	30
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 2760	2768	nemu-downloader.exe	31
PID 2768 wrote to memory of 1312	2768	nemu-downloader.exe	34
PID 2768 wrote to memory of 1312	2768	nemu-downloader.exe	34
PID 2768 wrote to memory of 1312	2768	nemu-downloader.exe	34
PID 2768 wrote to memory of 1312	2768	nemu-downloader.exe	34
PID 2768 wrote to memory of 3020	2768	nemu-downloader.exe	36
PID 2768 wrote to memory of 3020	2768	nemu-downloader.exe	36
PID 2768 wrote to memory of 3020	2768	nemu-downloader.exe	36
PID 2768 wrote to memory of 3020	2768	nemu-downloader.exe	36
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2144	2768	nemu-downloader.exe	38
PID 2768 wrote to memory of 2748	2768	nemu-downloader.exe	40
PID 2768 wrote to memory of 2748	2768	nemu-downloader.exe	40
PID 2768 wrote to memory of 2748	2768	nemu-downloader.exe	40
PID 2768 wrote to memory of 2748	2768	nemu-downloader.exe	40
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 2768 wrote to memory of 1936	2768	nemu-downloader.exe	44
PID 1136 wrote to memory of 1908	1136	WINWORD.EXE	47
PID 1136 wrote to memory of 1908	1136	WINWORD.EXE	47
PID 1136 wrote to memory of 1908	1136	WINWORD.EXE	47
PID 1136 wrote to memory of 1908	1136	WINWORD.EXE	47

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\nemu-downloader.exe
  C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\nemu-downloader.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\ColaBoxChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\ColaBoxChecker.exe" checker /baseboard
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1460
    3⤵
    - Program crash
    PID:2112

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MoveUpdate.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.dll

Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\7z.exe

Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\baseboard

Filesize
113B

MD5
9b317dde089fae4f949cbd593f5c65f8

SHA1
e9263f63df9bc28fb17bb27e6deac87db10fe4ff

SHA256
e05aab29acdfdc28395133014b0b0a1553e5189e51d880b24aae002d7cf1154b

SHA512
d6e0ec70fc79a8ba4b9ed05dc0b61179c3728d021795fc4bf252b9e78c84c9e0cf162a88cb5f331ace171f130225950e4225eeee3f48d1587ebd602e1a680700

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\config.ini

Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z70D9AB24\skin.zip

Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux-downloader-5e6a225e-7bfc-49c5-ae08-c7882dc794c0.log

Filesize
60KB

MD5
88cec846ecb4a9e07652c858da00200f

SHA1
202d7f5f09cfcdd98b64ffd582195f66bdd4520d

SHA256
e0c59f5d8123a5ece07d7563c18e4d935cd17c03a370917c7cc519dfa4f852a6

SHA512
68e5c2fc732b02ca173ee332a8a74a3893eecf83bd71a50fdd8937fe517e005d92a999e1f3f191193d1883fdd976377b3f70766c6a602320e7d2140cc583a80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\7z70D9AB24\nemu-downloader.exe

Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
memory/1136-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download