Overview

overview

6

Static

static

3

Nouveau do...64.exe

windows10-1703-x64

5

$PLUGINSDI...ns.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...gs.dll

windows10-1703-x64

3

Nouveau do...64.exe

windows10-1703-x64

6

Nouveau do...tkt.py

windows10-1703-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    Nouveau dossier compressé.zip

  • Size

    29.6MB

  • Sample

    240810-rwlc4sxfjb

  • MD5

    657b3cd8cef22a3bd641967d15f46e2c

  • SHA1

    9281495bb0fdb799edb79958451a00a818c3401c

  • SHA256

    7eb4dd740d65e70b9ebd7ad519e4114542ddb2f98f6891ea5bd0e4568c9db809

  • SHA512

    b27c9b9eb2cb5bd84fefae3c8c1d80804734bb18a25db3478d5f66b423f7eea0a7d679c04fbfb7d261602615df7461d1a3fd5b6022b75bf0d45ac61388e62148

  • SSDEEP

    786432:k+kNpopk79CahKqQqJb495IpccVBowHYYAwnTxClfeU4M0p:k+Qf7mqvCFcowHYYAwtCMe0p

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Targets

    • Target

      Nouveau dossier/npp.8.6.7.Installer.x64.exe

    • Size

      4.6MB

    • MD5

      d401161afb56b8647202e031cec1ae78

    • SHA1

      6eb7ed61ccdb0bd5018271a3ec24b63b913fc281

    • SHA256

      81470eb5917705fa0df03181b8112422671842bdcec5252a7894975b38058c91

    • SHA512

      01df1134b9f4d6bb44a8f23a9ba8191dbfb20ed1eb5f249331000955f6b340b1e3e3a6c0e237456a39a712f77d90fe85fc4b946832c88fe4617e45daea9c966b

    • SSDEEP

      98304:YtvLd2AV2+xDkRCH60uSzAUc8/hx2y5ho31X9pf86Mxxik5WVzZpZvO:YtBTZFET0Jcq2Kho31Xf06MzvAF/ZG

    Score
    5/10
    discoverypersistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral1

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      15KB

    • MD5

      d095b082b7c5ba4665d40d9c5042af6d

    • SHA1

      2220277304af105ca6c56219f56f04e894b28d27

    • SHA256

      b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

    • SHA512

      61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

    • SSDEEP

      192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa

    Score
    3/10
    discovery
    behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10
    discovery
    behavioral3

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      1d8f01a83ddd259bc339902c1d33c8f1

    • SHA1

      9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

    • SHA256

      4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

    • SHA512

      28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

    • SSDEEP

      96:o4Ev02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YsNqkzfFc:o4EvCu5e81785qHFcU0PuAw0uyGIFc

    Score
    3/10
    discovery
    behavioral4

    • Target

      Nouveau dossier/python-3.12.5-amd64.exe

    • Size

      25.3MB

    • MD5

      bbcb2fcf9d739f776fb6414afc12c80d

    • SHA1

      2d78877db5a8da134ab54ed952b961a7e750ec7d

    • SHA256

      44810512af577ca70b3269b8570b10825ec2ace2b86e4297e767a0f4c0ee8bfd

    • SHA512

      0572c6345f6a4f7f3e5c2ff858e3ca7ca54ae4478f3d59d8e18cb0f596e61dcf12aef579db229e83d63b30f15d6684ee6bb3feaea9413e5e636a503933057678

    • SSDEEP

      786432:jKEO2c6viGKJXI95MB6K3qtY9a3YiVTfwtzWo2CB8:XHiRuVKCY9a3YiRws6B8

    Score
    6/10
    discoverypersistenceprivilege_escalation

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral5

    • Target

      Nouveau dossier/tkt.py

    • Size

      120B

    • MD5

      3f1e74a5ca282c1d80783f7699c25c44

    • SHA1

      7b0ff72e72bf14af2b9d7f3245e8364ed7aa2407

    • SHA256

      606705ca6fc48f162242749b9de521668dafc74caaf2d04b74a2b097f23f25ad

    • SHA512

      6fa22faedb0567f5a3c7488ce7c3b0c3e116f31646336795d17d7a6600c34d4ec05d6ccdc226e12844f63dd17520b77a59134d67783fa4d3844d6942b7536ad0

    Score
    3/10
    behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks