4b13d2657da7701589cb9562622039d120c29f00115c2e93ebc7bd27be2e96b4

Analysis

max time kernel
107s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3fd906d3ac83693fd41e0464ae60650N.exe
Size

132KB
MD5

b3fd906d3ac83693fd41e0464ae60650
SHA1

c80f17b3f6c10e30acc13a17e1980cdfd653ef26
SHA256

4b13d2657da7701589cb9562622039d120c29f00115c2e93ebc7bd27be2e96b4
SHA512

50e367f24bbd843ff58affd661d835660821bed474717afd1f837a55b83572d07946da3d4809ef2d2955db19b0fe4ea3bec4eaf8682f3b440c5b42fc4db7cdd9
SSDEEP

3072:3QIURTXJcchSVjgcfLJDMGED7Vi6ie4T7W:3smchmjXtDMGUhJ6u

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2364	YesMessenger-full-installer-sign.exe

Loads dropped DLL 8 IoCs

pid	Process
628	b3fd906d3ac83693fd41e0464ae60650N.exe
628	b3fd906d3ac83693fd41e0464ae60650N.exe
628	b3fd906d3ac83693fd41e0464ae60650N.exe
628	b3fd906d3ac83693fd41e0464ae60650N.exe
2364	YesMessenger-full-installer-sign.exe
2364	YesMessenger-full-installer-sign.exe
2364	YesMessenger-full-installer-sign.exe
2364	YesMessenger-full-installer-sign.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YesMessenger-full-installer-sign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fd906d3ac83693fd41e0464ae60650N.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000194fd-30.dat	nsis_installer_1
behavioral1/files/0x00050000000194fd-30.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	YesMessenger-full-installer-sign.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31
PID 628 wrote to memory of 2364	628	b3fd906d3ac83693fd41e0464ae60650N.exe	31

C:\Users\Admin\AppData\Local\Temp\b3fd906d3ac83693fd41e0464ae60650N.exe
"C:\Users\Admin\AppData\Local\Temp\b3fd906d3ac83693fd41e0464ae60650N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\YesMessenger-full-installer-sign.exe
  C:\Users\Admin\AppData\Local\Temp\YesMessenger-full-installer-sign.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseC9E6.tmp\modern-header.bmp

Filesize
25KB

MD5
67fe35eda906060626afc314f5011f55

SHA1
f287f20ed6533f7b57717ffbee9b3ab3b4c6c16f

SHA256
ed4ceca9a4e64fb682a0c747d90f8608ceca317ba0f6bf7e01ebf7ae1a24b29d

SHA512
41bc5f1a32419d8daab9ea279998b092ad1f25aef361a8b6277c7aac4bff9600ae295328048c19d2848123ad842f2254ac5cfedd62351ed60feaf27cd9835b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE11E.tmp\ioSpecial.ini

Filesize
745B

MD5
2f4f2a064fff890d50fbf715fc4d00ac

SHA1
cef9a77b28f4c96536d8d91d5848b059d8c23aa5

SHA256
6cc3b061a7f3b8173e3527917e0295c33da7ce8f1b3b5854e3a8b7164aee6f21

SHA512
29a88c199ef3ad03b3776ddcced3da6910b7455f502e001efeb678b9bbbfe28989829974e3b6379dc917af7bbbd62502fe13d3321f65cf64f3d73f2fe9bb80ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE11E.tmp\vertical-repair.bmp

Filesize
150KB

MD5
92cd9923c70c8b70d03dfa69159b0914

SHA1
7ebaf18718feea9f382e519ec8c994ddebca7670

SHA256
dc01930954a61d4e361ce1932f3b5d139d10b5650ad978c01e3055d8290bab90

SHA512
2880829f92eb7853343e605973ea0bf0f8e55b454b05c150a5d2193d7bc92a3c8f2c5bb333a8a21526c956a399ebef751ea43a63309d5c27f3927c1e3d289103

Download Submit
\Users\Admin\AppData\Local\Temp\YesMessenger-full-installer-sign.exe

Filesize
7.5MB

MD5
2f07ab73e33fd886adb0114a81c275eb

SHA1
820e909484250ca6fb4b51e788adcb1b0c898849

SHA256
36c9b94cfa84a3b223af3424076ab699533883eea9bd7de45875ae758c1e664b

SHA512
bb5a1969a6cdd9021e22c23352530f0185519a3aeece1c20a1a7a85788ff274f111fe046678a658c46c61d7f14da7a63059e8d73d3513ff30d2b4def0cac03bc

Download Submit
\Users\Admin\AppData\Local\Temp\nseC9E6.tmp\ShutdownAllow.dll

Filesize
3KB

MD5
db401847c04d665a6f83dcafdd6ac23d

SHA1
bdbdcf5baaedd62d8d3f471693ef99d1fea60d7a

SHA256
c6518731ae740494bdd87c53a43086be7f0ce125f728b2860a014235cd56134e

SHA512
c204bcd55d87cabfcdb79ca2230ae0e89425f2c7e67b46d3a04937440cdfbbe3d9cafa5e52a8ab5d4539a3af4710ce44624476fa42602edb23cb549aa77ecd71

Download Submit
\Users\Admin\AppData\Local\Temp\nseC9E6.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseC9E6.tmp\inetc.dll

Filesize
24KB

MD5
eff1d9f80967c384e8d25c5a6369af1f

SHA1
1bad344a6f8a991e2017d79113e1e54f0dde32b8

SHA256
0537e86a8940e8c516330c1e646bf46cb62d79fc5a9add557c5050b40fa9f346

SHA512
cc824bcf581182c072df0e59c4d5af73fd5768215e18585e94d15617cda224763b62bd36a24510766e1bd651da05f024e6b6b9b0eaf3b6371f119c508a5a1e18

Download Submit
\Users\Admin\AppData\Local\Temp\nsuE11E.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsuE11E.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit