Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04/09/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
Setup NANI v2.0.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Setup NANI v2.0.0.exe
Resource
win10v2004-20240802-en
General
-
Target
Setup NANI v2.0.0.exe
-
Size
8.3MB
-
MD5
8deac3b42768ad22d58c4be22453d53f
-
SHA1
325d1310b4efcd07f3d26f940b55c18871316ba4
-
SHA256
0f50639167a19bffd3fbf0ada44aeb35598678937e90b11dcbbcda224877e671
-
SHA512
c2e1d88750511b62b3d031c95994d750500238ff7d50a69c4130362cb3f2a4fc62e0e766aa64fde50ff8bea8a248fdd42395195243878b677ae40ff24c8ae174
-
SSDEEP
196608:ozu8QRNGoWJ+UdxOqtzsUA5dE8e9KMGkf1YwsNhvFvGJLE:cDQYoMFxVe1dK9KMGkf1YzFu5E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2576 Setup NANI v2.0.0.tmp -
Loads dropped DLL 5 IoCs
pid Process 2576 Setup NANI v2.0.0.tmp 2576 Setup NANI v2.0.0.tmp 2576 Setup NANI v2.0.0.tmp 2576 Setup NANI v2.0.0.tmp 2576 Setup NANI v2.0.0.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\WXAudio\NANI\unins000.dat Setup NANI v2.0.0.tmp File created C:\Program Files\WXAudio\NANI\unins000.dat Setup NANI v2.0.0.tmp File created C:\Program Files\WXAudio\NANI\is-9164J.tmp Setup NANI v2.0.0.tmp File created C:\Program Files\WXAudio\NANI\is-N3MKD.tmp Setup NANI v2.0.0.tmp File created C:\Program Files\Common Files\VST3\WXAudio\is-JKT1L.tmp Setup NANI v2.0.0.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup NANI v2.0.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup NANI v2.0.0.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2576 Setup NANI v2.0.0.tmp 2576 Setup NANI v2.0.0.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2576 Setup NANI v2.0.0.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2576 Setup NANI v2.0.0.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4588 wrote to memory of 2576 4588 Setup NANI v2.0.0.exe 73 PID 4588 wrote to memory of 2576 4588 Setup NANI v2.0.0.exe 73 PID 4588 wrote to memory of 2576 4588 Setup NANI v2.0.0.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe"C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\is-5OPTN.tmp\Setup NANI v2.0.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-5OPTN.tmp\Setup NANI v2.0.0.tmp" /SL5="$8023C,8347982,121344,C:\Users\Admin\AppData\Local\Temp\Setup NANI v2.0.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
Filesize
357KB
MD5f30afccd6fafc1cad4567ada824c9358
SHA160a65b72f208563f90fba0da6af013a36707caa9
SHA256e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d
SHA51259b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c
-
Filesize
4KB
MD5fe369a9470426cf1570198224f8922b0
SHA182cf9e81262feaa0648b20c90c88b53c9d1e9e01
SHA25675e01c305e8e28eea25dea2b4b83c3d230ee6ec4ae4fe017bc7b52292e27b961
SHA512fb31b0a0dd982f1e25f68027ae39ab2eeaeb53d570b0f60204fa058d356773c70d56fa420c12a4ee8cfaf6040be320304e16f6a8343b4b70ae231dbb3291570f
-
Filesize
813KB
MD55f87caf3f7cf63dde8e6af53bdf31289
SHA1a2c3cc3d9d831acd797155b667db59a32000d7a8
SHA2564731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940
SHA5124875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d