9b31d0a58d4bd0d04651a2b29590f3c76493bb50fd5e6d21afb6c1d6a291e433

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$SYSDIR/cont_globaladsolution-remove.exe
Size

52KB
MD5

484d16f733b77e3ea52b90092fec78a6
SHA1

ff7f72fdfcde4eaa49b0819f63204e91d153652e
SHA256

98c01c1e12653fae11202eeb137d92cf338e7a3fdf7712e49dd781bb83436dec
SHA512

acf7387a735f586e5d97e6747b17cbc4ea4920f8c0351bfe27d5cacec84bdd3ed2b83315dd6881e23623aab3a9245b72ea763e267483c9b6dd6e52d4bf5c3e97
SSDEEP

768:YSup23EQCjlQRB8/ewZ1iU6nyYFxbssT/F/O71mJ5VJRnHt6t8KuTqoTKbbuLL:Fu4EQalMK/ewGnh0mJX8tuTfKbbsL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
1732	cont_globaladsolution-remove.exe
1780	Au_.exe
1780	Au_.exe
1780	Au_.exe
1780	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cont_globaladsolution-remove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral9/files/0x000500000001a41b-2.dat	nsis_installer_1
behavioral9/files/0x000500000001a41b-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1780	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30
PID 1732 wrote to memory of 1780	1732	cont_globaladsolution-remove.exe	30

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_globaladsolution-remove.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\cont_globaladsolution-remove.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstA306.tmp\validate.ini

Filesize
455B

MD5
c964b8669f22f3ce84ae510a14808877

SHA1
3e48091a952e9c3c36a865e5939aae7fc716131d

SHA256
6027cc6eb5054337cafabe7c48c2b82bb5d6862a42fe6b733caf3ecb38007998

SHA512
3c4b54681be1fc195ccee4c391ce4d30f381487caea5fc4835a6736b18c5ebde5b334bd4103c696053e8dcc97911d17453a0a16070e7b187814732fea86e6c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA306.tmp\validate.ini

Filesize
528B

MD5
36cddb95aea8d48a623d60797979c442

SHA1
3fbe47964f0366055414bc6ea93ffeef57f7599a

SHA256
07ef31fba60b3f53921c489226ae25e57de4fd3f6ced3ecf1e54197d53d7afde

SHA512
07d2d761e097c674aa9ae29351ca85d92799ef8a345f517f1c1134d06b48c241dc9f3513c8c7450d93dbc2faca0c3728124aea35fa4f31a35464c00edd25cb62

Download Submit
\Users\Admin\AppData\Local\Temp\nstA306.tmp\InstallOptions.dll

Filesize
14KB

MD5
271b5d1043c4402f08ddeae383f6979c

SHA1
2b88c58aa27bfb4979239579cd65d4c6c67a5295

SHA256
90485cb175686c3e97b32ebf99daa939c1a6f46e7031f71b72b81cd114fd5b51

SHA512
f8bd4b316726f05647162bb52a2aeb4a6cf5ee976fdb7817a3d25b868b83fb482c38d078f01d3a629afb0d6fa6ce409b2b3404398563137e22010074f529c11b

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
52KB

MD5
484d16f733b77e3ea52b90092fec78a6

SHA1
ff7f72fdfcde4eaa49b0819f63204e91d153652e

SHA256
98c01c1e12653fae11202eeb137d92cf338e7a3fdf7712e49dd781bb83436dec

SHA512
acf7387a735f586e5d97e6747b17cbc4ea4920f8c0351bfe27d5cacec84bdd3ed2b83315dd6881e23623aab3a9245b72ea763e267483c9b6dd6e52d4bf5c3e97

Download Submit