965c03c1440a12d996905d6c365b4aac7ba463e5a7b3add65be68ec6af460993

Analysis

max time kernel
100s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.exe
Size

214KB
MD5

035092f5c7d84ba03cf9d35d853c130f
SHA1

a3aace7fb445223bc5ea83cc5a2dee4852c109f8
SHA256

6e5f2dd63e046d77e2404ef8caf3863ee9d2d49dbb1d9a3db9d61f190b10c232
SHA512

779bcc5df993f0f2ab3fba4e7e146fc3be31aaf9dd79e9745ad7ef1181d82dfb255a04e177ab9528346d236a019d330cbb49505ce7cde2361fdf3aedc6d33be4
SSDEEP

6144:rmJIK+h5aRQuMulRZ5HiXsMrBjcKi1y4rJGzOp9iH4Bi:rmJB+h5SmulRmcMVjWddGzQ9iHr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1652	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
1080	virussign.exe
1652	Au_.exe
1652	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1652	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1652	1080	virussign.exe	30
PID 1080 wrote to memory of 1652	1080	virussign.exe	30
PID 1080 wrote to memory of 1652	1080	virussign.exe	30
PID 1080 wrote to memory of 1652	1080	virussign.exe	30

C:\Users\Admin\AppData\Local\Temp\virussign.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseCD40.tmp\ProcDll.dll

Filesize
348KB

MD5
7c86e1f6b310fc8035c87386b8d2ed04

SHA1
cd25fe27443fc172d581f6eec26291218d66b5ff

SHA256
fae6ead8f70b1d7d5cce53a6875a3c83916bb06c6fd6dff12e859857d56547a1

SHA512
ed1f005cf44aec6ff3ce280924fe30e288377e6c619971ed50ce46a6c6935b9c6617e7ba88710be18637fbc02e89567f743af169ff8506a188cc114bb8b494b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCD40.tmp\ioC.ini

Filesize
512B

MD5
e36d50619ff564c3744c07c4e6e1a6ce

SHA1
a0588184ad5bbb1036df62f828614e79b5413fb7

SHA256
7bea2d17be5ef214e798eac6f67ea56717676527ded5856dd84f8ed5f86108b5

SHA512
e813cb84bb2c08f2262d284ab11746dfc2f6e080f67c7cb4f1a2dbea5c2e2b7e87f0a7cc53fa2112832a143db95fd4f86fd2e14a392df0bfeb8c172992b0edf1

Download Submit
\Users\Admin\AppData\Local\Temp\nseCD40.tmp\InstallOptions.dll

Filesize
15KB

MD5
6e663f1a0de94bc05d64d020da5d6f36

SHA1
c5abb0033776d6ab1f07e5b3568f7d64f90e5b04

SHA256
458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4

SHA512
2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
214KB

MD5
035092f5c7d84ba03cf9d35d853c130f

SHA1
a3aace7fb445223bc5ea83cc5a2dee4852c109f8

SHA256
6e5f2dd63e046d77e2404ef8caf3863ee9d2d49dbb1d9a3db9d61f190b10c232

SHA512
779bcc5df993f0f2ab3fba4e7e146fc3be31aaf9dd79e9745ad7ef1181d82dfb255a04e177ab9528346d236a019d330cbb49505ce7cde2361fdf3aedc6d33be4

Download Submit