Overview

overview

7

Static

static

3

12noon-ala...64.exe

windows11-21h2-x64

7

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

Alarm.exe

windows11-21h2-x64

1

Uninstall.exe

windows11-21h2-x64

7

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    55s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-09-2024 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12noon-alarm-plus-plus-setup-x64.exe

  • Size

    3.4MB

  • MD5

    c5e6e9ff9ab3dd565ed430ff745a5014

  • SHA1

    a817367a96790ef64a3df6cca9c3470fc2e41bf3

  • SHA256

    51291ed880000172b7b74827cdbeb6b9f81d714dba9f9f0d8390b11c2329e5c3

  • SHA512

    4184c8921859ddd7610714cad5409c8ef3f5be39bf4e3133dcebfef3b244ad2f88d4fed0e3a3d28c46c994827de6fb13b11595fa7f92735e4b40a24ec50e65d9

  • SSDEEP

    98304:HXZyJCV6D//lO4UVRZClz9Wpvq4w7lYmMSZaMVO4RZNr9T7c7NNZ1:HJy+E//lO4MI9WRq4LmMSZhrT9T7c7Nh

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12noon-alarm-plus-plus-setup-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\12noon-alarm-plus-plus-setup-x64.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\System.dll
    Filesize

    12KB

    MD5

    564bb0373067e1785cba7e4c24aab4bf

    SHA1

    7c9416a01d821b10b2eef97b80899d24014d6fc1

    SHA256

    7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    SHA512

    22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    48f3e7860e1de2b4e63ec744a5e9582a

    SHA1

    420c64d802a637c75a53efc8f748e1aede3d6dc6

    SHA256

    6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

    SHA512

    28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

    Download Submit