0f50639167a19bffd3fbf0ada44aeb35598678937e90b11dcbbcda224877e671

Analysis

max time kernel
15s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup NANI v2.0.0.exe
Size

8.3MB
MD5

8deac3b42768ad22d58c4be22453d53f
SHA1

325d1310b4efcd07f3d26f940b55c18871316ba4
SHA256

0f50639167a19bffd3fbf0ada44aeb35598678937e90b11dcbbcda224877e671
SHA512

c2e1d88750511b62b3d031c95994d750500238ff7d50a69c4130362cb3f2a4fc62e0e766aa64fde50ff8bea8a248fdd42395195243878b677ae40ff24c8ae174
SSDEEP

196608:ozu8QRNGoWJ+UdxOqtzsUA5dE8e9KMGkf1YwsNhvFvGJLE:cDQYoMFxVe1dK9KMGkf1YzFu5E

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	Setup NANI v2.0.0.tmp

Loads dropped DLL 5 IoCs

pid	Process
2576	Setup NANI v2.0.0.tmp
2576	Setup NANI v2.0.0.tmp
2576	Setup NANI v2.0.0.tmp
2576	Setup NANI v2.0.0.tmp
2576	Setup NANI v2.0.0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WXAudio\NANI\unins000.dat	Setup NANI v2.0.0.tmp
File created	C:\Program Files\WXAudio\NANI\unins000.dat	Setup NANI v2.0.0.tmp
File created	C:\Program Files\WXAudio\NANI\is-9164J.tmp	Setup NANI v2.0.0.tmp
File created	C:\Program Files\WXAudio\NANI\is-N3MKD.tmp	Setup NANI v2.0.0.tmp
File created	C:\Program Files\Common Files\VST3\WXAudio\is-JKT1L.tmp	Setup NANI v2.0.0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup NANI v2.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup NANI v2.0.0.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	Setup NANI v2.0.0.tmp
2576	Setup NANI v2.0.0.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	Setup NANI v2.0.0.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	Setup NANI v2.0.0.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2576	4588	Setup NANI v2.0.0.exe	73
PID 4588 wrote to memory of 2576	4588	Setup NANI v2.0.0.exe	73
PID 4588 wrote to memory of 2576	4588	Setup NANI v2.0.0.exe	73

C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\is-5OPTN.tmp\Setup NANI v2.0.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5OPTN.tmp\Setup NANI v2.0.0.tmp" /SL5="$8023C,8347982,121344,C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5OPTN.tmp\Setup NANI v2.0.0.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5U6F.tmp\ISSKINU.DLL

Filesize
357KB

MD5
f30afccd6fafc1cad4567ada824c9358

SHA1
60a65b72f208563f90fba0da6af013a36707caa9

SHA256
e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d

SHA512
59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5U6F.tmp\R2RINNO.dll

Filesize
4KB

MD5
fe369a9470426cf1570198224f8922b0

SHA1
82cf9e81262feaa0648b20c90c88b53c9d1e9e01

SHA256
75e01c305e8e28eea25dea2b4b83c3d230ee6ec4ae4fe017bc7b52292e27b961

SHA512
fb31b0a0dd982f1e25f68027ae39ab2eeaeb53d570b0f60204fa058d356773c70d56fa420c12a4ee8cfaf6040be320304e16f6a8343b4b70ae231dbb3291570f

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5U6F.tmp\SKIN.CJSTYLES

Filesize
813KB

MD5
5f87caf3f7cf63dde8e6af53bdf31289

SHA1
a2c3cc3d9d831acd797155b667db59a32000d7a8

SHA256
4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940

SHA512
4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

Download Submit
memory/2576-86-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-61-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-18-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-34-0x0000000076790000-0x00000000767B5000-memory.dmp

Filesize
148KB

Download
memory/2576-41-0x0000000074460000-0x0000000074551000-memory.dmp

Filesize
964KB

Download
memory/2576-40-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-39-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-38-0x0000000076790000-0x00000000767B5000-memory.dmp

Filesize
148KB

Download
memory/2576-37-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-46-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-51-0x0000000077630000-0x0000000077675000-memory.dmp

Filesize
276KB

Download
memory/2576-49-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/2576-83-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-82-0x0000000073F40000-0x0000000073F63000-memory.dmp

Filesize
140KB

Download
memory/2576-81-0x0000000073F70000-0x0000000073FE8000-memory.dmp

Filesize
480KB

Download
memory/2576-80-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-79-0x0000000077630000-0x0000000077675000-memory.dmp

Filesize
276KB

Download
memory/2576-78-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-56-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/2576-76-0x0000000074460000-0x0000000074551000-memory.dmp

Filesize
964KB

Download
memory/2576-75-0x0000000074D60000-0x0000000074EB9000-memory.dmp

Filesize
1.3MB

Download
memory/2576-74-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-73-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-72-0x0000000073F70000-0x0000000073FE8000-memory.dmp

Filesize
480KB

Download
memory/2576-71-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-70-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-67-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-66-0x0000000073F70000-0x0000000073FE8000-memory.dmp

Filesize
480KB

Download
memory/2576-65-0x0000000076790000-0x00000000767B5000-memory.dmp

Filesize
148KB

Download
memory/2576-64-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-6-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2576-42-0x00000000752A0000-0x00000000765E8000-memory.dmp

Filesize
19.3MB

Download
memory/2576-15-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-60-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-84-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-59-0x0000000073F70000-0x0000000073FE8000-memory.dmp

Filesize
480KB

Download
memory/2576-58-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-52-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-55-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-54-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-53-0x0000000073F70000-0x0000000073FE8000-memory.dmp

Filesize
480KB

Download
memory/2576-50-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-68-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-63-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-57-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-48-0x0000000074460000-0x0000000074551000-memory.dmp

Filesize
964KB

Download
memory/2576-47-0x0000000074D60000-0x0000000074EB9000-memory.dmp

Filesize
1.3MB

Download
memory/2576-45-0x00000000737F0000-0x0000000073923000-memory.dmp

Filesize
1.2MB

Download
memory/2576-44-0x0000000074560000-0x000000007464F000-memory.dmp

Filesize
956KB

Download
memory/2576-43-0x0000000073FF0000-0x00000000741FE000-memory.dmp

Filesize
2.1MB

Download
memory/2576-36-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-35-0x00000000739D0000-0x00000000739FE000-memory.dmp

Filesize
184KB

Download
memory/2576-33-0x00000000767C0000-0x0000000076837000-memory.dmp

Filesize
476KB

Download
memory/2576-32-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-31-0x0000000076790000-0x00000000767B5000-memory.dmp

Filesize
148KB

Download
memory/2576-30-0x00000000767C0000-0x0000000076837000-memory.dmp

Filesize
476KB

Download
memory/2576-28-0x00000000767C0000-0x0000000076837000-memory.dmp

Filesize
476KB

Download
memory/2576-29-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-27-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-26-0x00000000767C0000-0x0000000076837000-memory.dmp

Filesize
476KB

Download
memory/2576-25-0x0000000003340000-0x00000000033A1000-memory.dmp

Filesize
388KB

Download
memory/2576-24-0x00000000767C0000-0x0000000076837000-memory.dmp

Filesize
476KB

Download
memory/2576-328-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4588-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4588-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download