183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Size

646KB
MD5

58742fa74d16b336b4683d92de86bd90
SHA1

4dc80e230c6f38acae85628d913e792daa12ddab
SHA256

183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270
SHA512

7b0b033f63d7aa635779093fa3a2991d783dab29f4037552981309045cfc251cb2fc71bec8d99852e7762282d492bf4198287c1efc86833ea16270824984fc77
SSDEEP

6144:tWInt4heqUOF96tvcMWGXONceGBIucsLN:t/qUOFst4GXwGBIucsLN

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2704	rs.exe
2044	orau.exe
352	wnstssu.exe

Loads dropped DLL 6 IoCs

pid	Process
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
2704	rs.exe
2704	rs.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	rs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	orau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WNSA = "C:\\Windows\\system32\\wnstssu.exe"	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnstssu.exe	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fb-7.dat	upx
behavioral1/memory/2704-10-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2704-14-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2704-46-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-47-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-72-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-73-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-83-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-84-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-109-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-111-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-112-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-116-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-117-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-118-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2044-119-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PurityScan\PuritySCAN.exe	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnstssu.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wnstssu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wnstssu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wnstssu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wnstssu.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
352	wnstssu.exe
352	wnstssu.exe
352	wnstssu.exe
352	wnstssu.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
352	wnstssu.exe
352	wnstssu.exe
352	wnstssu.exe
352	wnstssu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2704	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	30
PID 1476 wrote to memory of 2704	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	30
PID 1476 wrote to memory of 2704	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	30
PID 1476 wrote to memory of 2704	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	30
PID 2704 wrote to memory of 2044	2704	rs.exe	32
PID 2704 wrote to memory of 2044	2704	rs.exe	32
PID 2704 wrote to memory of 2044	2704	rs.exe	32
PID 2704 wrote to memory of 2044	2704	rs.exe	32
PID 1476 wrote to memory of 352	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	34
PID 1476 wrote to memory of 352	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	34
PID 1476 wrote to memory of 352	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	34
PID 1476 wrote to memory of 352	1476	183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe	34

C:\Users\Admin\AppData\Local\Temp\183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe
"C:\Users\Admin\AppData\Local\Temp\183281b306d4d06b0bd3e8805a60fd2db9ab8f743d47cb29beb56694614f7270N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\rs.exe
  C:\Users\Admin\AppData\Local\Temp\rs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\orau.exe
    C:\Users\Admin\AppData\Roaming\orau.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2044
- C:\Windows\SysWOW64\wnstssu.exe
  "C:\Windows\system32\wnstssu.exe" /no_ads
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
37a08c3144f77d2ea02282f31d58caff

SHA1
900b0b8925b5608454f23493c30e37115b289606

SHA256
385b5788d30fbe00ca8b498dbc60d2df3d6a97d19db513f71b4a7ad7503924b2

SHA512
95f420e3c6f8440de6e4e1a2461b7e3cb847de7ad212feae2aff33e2fd31721f3ffefe5eaa52ded30f8a6aa1dbd712659f5454164f799ee3c75b076a65f87809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d88c235893b72dd0a05d9fca567402e1

SHA1
c5e6b8b919467cf8186165a4549f4ea48616c36a

SHA256
11a64a3994649510252064064de54cb07aaff871e5f873c6a3a0c75b2eac5223

SHA512
c7cb45cfdd7e6c3cd50b7e11af10a08738fc45e493523b0c0abc303f0651c0831e6f80582098870cb4b6b09846503812984dd098848993c3a878879634a0993a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
c487524d261a39c5333fbd587370c4c8

SHA1
75b0b327992bcc7bf5b58d6ffbfbf61d292803ed

SHA256
d45d7f89bc8e8e46e22bcd702d287504d7f6f8ba3f340db39cd223cd2a5d46fb

SHA512
f2da720694d58164915d459879bc98fc44a13e1f258fc265f2fd46e771483ad41ebb860519cad98f5a77d575559ce5a82312312ca691b2e7992e54a928fa2402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\domain_profile[1].htm

Filesize
41KB

MD5
e49bb6bf82a72fc6a0a5c70896e4dd0f

SHA1
273df0cd931a05013af26d7686b5e9693075ed34

SHA256
4144303c2185a3af6454edf9013303356c1ea0ccd8a4e7585d289912a7e7b6de

SHA512
38e87e8067d54dc73c3da5501e71ecd8fca1d85fb161f3bf8e05026dbf28a13d0d6ae8f3f83aae110966edbbcbced79d0ec0ca6d5827538514bba7e716e9beab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\domain_profile[1].htm

Filesize
6KB

MD5
b365ef4744948b819dc01c3081bd2740

SHA1
93a417311fafa76bfb7f165609c799454364e430

SHA256
b738ff116bb4a1141b293967b3cc477cd581584bb519870fc937e061ecb8c868

SHA512
54b19aa62c3619ccf7556a7c2484469e11d700b47f6abc1a6e3f2826cefed2c22b005cadb185d1bf8e6d5c8d65136d10aa80c3621a0601a8c474d55ac3394ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab511C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rs.exe

Filesize
74KB

MD5
a06938dc128be2c105246e7c5dc5ddfb

SHA1
de1af16987f6556fb42790fb690f78b41f4133c7

SHA256
ce6a8a2accac99a44fa9827dac675a364d7d40019e57ba1d11140668a5121543

SHA512
49f64b01496d6af93e888ee8cc2747253a69de0fa1f5dc5d19705e8271c6bfbd182b806ec4a84d612d6505ff9e897bf9f37d5b8e7e5c4b394047efd365b9db78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q16J0SMW.txt

Filesize
175B

MD5
c041c5736452c4f88e8827faa9c27398

SHA1
4ac03c0f3154ff17673695d23ac08ff98ff459b9

SHA256
b5a1f905310cc58c647f5606948f4833f9bcee75a2539d37e93350372366efba

SHA512
1c6969595423e90c9de5616d8011d935bd955fb45d156943674038528ad40c8fc8cc22576cc230c5bce91c6ee64ad84e8616315dbb68eb1d95ff136832972589

Download Submit
C:\Windows\SysWOW64\wnstssu.exe

Filesize
666KB

MD5
a3db2c0fb3742b40deb3590810a359eb

SHA1
3e5c22367f6843f9e7efb125b94ce80d791a3e1d

SHA256
b871faa66882fc50a41d28a54aecfb1d25173317f0d6f47577e3b6adad0e5993

SHA512
f99819b4668707c5cb6711f2f3d6a02c26d7c2c6e833586e0bcf5a7658f6f1f308fc98161c39d1bb0da5880032170ff9f69725ca96f204282968aafddebbebb3

Download Submit
memory/1476-13-0x0000000002940000-0x0000000002971000-memory.dmp

Filesize
196KB

Download
memory/1476-8-0x0000000002940000-0x0000000002971000-memory.dmp

Filesize
196KB

Download
memory/1476-9-0x0000000002940000-0x0000000002971000-memory.dmp

Filesize
196KB

Download
memory/2044-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-47-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-117-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-116-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-42-0x0000000003000000-0x0000000003031000-memory.dmp

Filesize
196KB

Download
memory/2704-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-44-0x0000000003000000-0x0000000003031000-memory.dmp

Filesize
196KB

Download
memory/2704-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download