b53cf6fc4557b36bcab41cdb5aa3eeb060100a7bc606ef3c286892d71f8cb6f3

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 17:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HA_AimOneSR-1310_CZ.exe
Size

1.5MB
MD5

3fca039a35130ed582b0352407640439
SHA1

60ca6624c519c2a05e063d86d43ab004706d660a
SHA256

27447cea0b88544d7343aa5040e344687f952f218fd054aae184677b9ed83ea0
SHA512

8dc8430b5d6a47915e0e11a70427d62946810b8b3feeab32f9dc582105bfe179379a175109cddcc8276feba422dcc959ab1798ce2feb0058916f8a30bab6bfa0
SSDEEP

49152:HPVrAI0y7cm3pa5RKvoVsgwTj3GLnm3paB:vyhcfpa5R8NTj3LpaB

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\NSISLog	HA_AimOneSR-1310_CZ.exe
File created	C:\Program Files (x86)\Common Files\NSISLog\Lang2052.DAT	HA_AimOneSR-1310_CZ.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSISLog\Lang2052.DAT	HA_AimOneSR-1310_CZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HA_AimOneSR-1310_CZ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	HA_AimOneSR-1310_CZ.exe
1504	HA_AimOneSR-1310_CZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	HA_AimOneSR-1310_CZ.exe

C:\Users\Admin\AppData\Local\Temp\HA_AimOneSR-1310_CZ.exe
"C:\Users\Admin\AppData\Local\Temp\HA_AimOneSR-1310_CZ.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst790.tmp\ioSpecial.ini

Filesize
693B

MD5
561ed52a808eb7c762ab335f8ffd85d0

SHA1
71d41bfb93b4a908ad24838ae8bf0fcdc1664621

SHA256
d0f2bb4b527af1330273778382fae3c389b4447ebb51dba2127cc967440857ec

SHA512
be432c58fd622879ea28a8a33a7f95f837fa1d2a057590050ce30b3bec3f5f80ee2aa0b305b5b3d23958c50decfa23b261dd013b5ab3991d0f5bbf62ce1a00fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst790.tmp\installoptions.dll

Filesize
12KB

MD5
1d5c649dde35003a618b9679d5d71b92

SHA1
0409bbab3ab34f8c01289cdd847b4d1a32d05b18

SHA256
0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f

SHA512
b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Download Submit
\Users\Admin\AppData\Local\Temp\nst790.tmp\killprocdll.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nst790.tmp\system.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
memory/1504-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1504-1-0x0000000000A40000-0x0000000000AF8000-memory.dmp

Filesize
736KB

Download
memory/1504-109-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download