Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:31

General

  • Target

    2f357264dba5baf086f5e2993a41b2a5.exe

  • Size

    151KB

  • MD5

    2f357264dba5baf086f5e2993a41b2a5

  • SHA1

    7829842d7fa7e2cf66062afd1e244638dac103fd

  • SHA256

    3ba2baa0f6473b8231c03600e866651c4dff9db5ef94219fc2f400c807572c82

  • SHA512

    9d324dd89e41062d1abb797e31413dbb00d52afe2552d28bcc91623e00681932d4a34e03a992ab519c208fc083e07c996edc376100f10e1df0373ca99461c900

  • SSDEEP

    3072:q/4u3Yq6fuqYb+NqclIa6oyqIhdwGatrECWdKZ/fN2+EHPozA:xu3OeMN+FlmdECWGXN+9

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 9 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f357264dba5baf086f5e2993a41b2a5.exe
    "C:\Users\Admin\AppData\Local\Temp\2f357264dba5baf086f5e2993a41b2a5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Drops file in Drivers directory
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:3020
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2100
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:4940
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:4892
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:1344
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:932
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:3504
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:1776
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2104
      • C:\Windows\SysWOW64\netsh.exe
        netsh.exe advfirewall firewall delete rule name="Block CCleaner"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4988
      • C:\Windows\SYSTEM32\reg.exe
        reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner" /f
        3⤵
          PID:3240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsh97E2.tmp\LangDLL.dll

      Filesize

      5KB

      MD5

      109b201717ab5ef9b5628a9f3efef36f

      SHA1

      98db1f0cc5f110438a02015b722778af84d50ea7

      SHA256

      20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

      SHA512

      174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

    • C:\Users\Admin\AppData\Local\Temp\nsh97E2.tmp\System.dll

      Filesize

      12KB

      MD5

      8cf2ac271d7679b1d68eefc1ae0c5618

      SHA1

      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

      SHA256

      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

      SHA512

      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    • C:\Users\Admin\AppData\Local\Temp\nsh97E2.tmp\nsExec.dll

      Filesize

      7KB

      MD5

      f27689c513e7d12c7c974d5f8ef710d6

      SHA1

      e305f2a2898d765a64c82c449dfb528665b4a892

      SHA256

      1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

      SHA512

      734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

    • C:\Users\Admin\AppData\Local\Temp\nsh97E2.tmp\nsProcess.dll

      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    • C:\Users\Admin\AppData\Local\Temp\nsh97E2.tmp\nsisFile.dll

      Filesize

      5KB

      MD5

      b7d0d765c151d235165823b48554e442

      SHA1

      fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

      SHA256

      a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

      SHA512

      5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    • C:\Users\Admin\AppData\Local\Temp\nshD79D.tmp

      Filesize

      1KB

      MD5

      3a19121498aa4a500f33519964565b99

      SHA1

      a881fe7bce9804b653a087a073c97472ca27fc14

      SHA256

      e5c414ee59ffc5fe19bf968ecadd6271ffcd1fc22b51ef772dfcfe956579f9ec

      SHA512

      c70fdacebd725b43fe65f84cbf9d7ddf9e9c95919b58d772211b2aa9fc2f24639fb13080a8fb38a6688ffa95ca14d4855e882f8f92a346bae6c134db1cffafc9

    • C:\Users\Admin\AppData\Local\Temp\nswD673.tmp

      Filesize

      1KB

      MD5

      008fba141529811128b8cd5f52300f6e

      SHA1

      1a350b35d82cb4bd7a924b6840c36a678105f793

      SHA256

      ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

      SHA512

      80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

      Filesize

      151KB

      MD5

      2f357264dba5baf086f5e2993a41b2a5

      SHA1

      7829842d7fa7e2cf66062afd1e244638dac103fd

      SHA256

      3ba2baa0f6473b8231c03600e866651c4dff9db5ef94219fc2f400c807572c82

      SHA512

      9d324dd89e41062d1abb797e31413dbb00d52afe2552d28bcc91623e00681932d4a34e03a992ab519c208fc083e07c996edc376100f10e1df0373ca99461c900