657e1252676cfb26a008835c20a760f731c8e0414469a4ed0f83f0fb059cdd35

Analysis

max time kernel
52s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nasm-2.16.03-installer-x64.exe
Size

1.0MB
MD5

4205b5973d293543e89c2069635117e3
SHA1

1a67e9fe7605777a78096007600bfa1492ad0e9c
SHA256

657e1252676cfb26a008835c20a760f731c8e0414469a4ed0f83f0fb059cdd35
SHA512

50e4b38098f468604b6b6d7873f4100b9305716c4946ce8092f94275e71c8905d36fb8b0c0096410c9ef33f5a93e92dfc68b08e1b59ad8be4b111c1e2546b14d
SSDEEP

24576:VUFH8ebk9B82QVMbrNgW9ty9TwmEOIm+vz3GNVmyw2TLBcU48i69/83a:eFc78ZVMbZ3ydxE9jqoywCLBcUT7Ma

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2644	nasm.exe
3020	nasm.exe

Loads dropped DLL 6 IoCs

pid	Process
2532	nasm-2.16.03-installer-x64.exe
2532	nasm-2.16.03-installer-x64.exe
2532	nasm-2.16.03-installer-x64.exe
2532	nasm-2.16.03-installer-x64.exe
2532	nasm-2.16.03-installer-x64.exe
2600	cmd.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\NASM\VSrules\nasm.README	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\LICENSE	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\nasm.ico	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\nasmpath.bat	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\nasmdoc.pdf	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\nasm.exe	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\ndisasm.exe	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\Uninstall.exe	nasm-2.16.03-installer-x64.exe
File created	C:\Program Files\NASM\VSrules\nasm.rules	nasm-2.16.03-installer-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nasm-2.16.03-installer-x64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2600	2868	cmd.exe	34
PID 2868 wrote to memory of 2600	2868	cmd.exe	34
PID 2868 wrote to memory of 2600	2868	cmd.exe	34
PID 2600 wrote to memory of 2644	2600	cmd.exe	35
PID 2600 wrote to memory of 2644	2600	cmd.exe	35
PID 2600 wrote to memory of 2644	2600	cmd.exe	35
PID 2600 wrote to memory of 3020	2600	cmd.exe	36
PID 2600 wrote to memory of 3020	2600	cmd.exe	36
PID 2600 wrote to memory of 3020	2600	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe
"C:\Users\Admin\AppData\Local\Temp\nasm-2.16.03-installer-x64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2532

C:\Windows\system32\cmd.exe
cmd /c ""C:\Program Files\NASM\nasmpath.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Program Files\NASM\nasm.exe
    nasm
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Program Files\NASM\nasm.exe
    nasm -h
    3⤵
    - Executes dropped EXE
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NASM\nasmpath.bat

Filesize
50B

MD5
d52f0b808ca5c08958c894eb51fbd0ce

SHA1
4df38ee255f572b3b2336948e774ad8461a50b88

SHA256
dab1d811f518bea6ab2b164333b6d80a741a2c291c247926d66f2a30b1d609a8

SHA512
4495a898c33e4738285ab0212ad748a60e529916e7cdba61b011e95b01a5677c4c2fff96c8b6e64721c2feec617ad8556990784e068387edcb4a6704861792e9

Download Submit
\Program Files\NASM\Uninstall.exe

Filesize
118KB

MD5
5daf94410f68f7ea5beda051c9f23054

SHA1
ae734cf1d623a03fe510c434969743e806ba38d2

SHA256
e94531c8677f86373377e55f55befca0c9becd084f48571db63a87ac154ed04f

SHA512
4bfca2c230fc92abb7db4cd4a6eb7c58a15daa1d5f7ead98096508ef19f626dc7691e59f54ab2a16ae5de364871c2298e40f9e06a10e1998f1aef1b7e55cfa2e

Download Submit
\Program Files\NASM\nasm.exe

Filesize
1.6MB

MD5
7a564fd688ae791e69c360c1cf54ad61

SHA1
c0fa0e8f2416f8c99151dcebceba1bb2f3449409

SHA256
a93276636266516421cc9b422f47476c21f7a2949f1ae251556b2f1d33a3be04

SHA512
f4b6e93f189787300bbc551465b49468809cc274d45d3452a5932c74cb1d5466b2491358b2c77f2334faa9dc271551bcf3b965b17e1edf3336d5fc78d4605465

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB5BA.tmp\StartMenu.dll

Filesize
12KB

MD5
ac238522827cff2c921d83c76dee76d4

SHA1
ebb4f1f27943b9a47cf94957d4b6a58b2ebe789f

SHA256
95218c916fd8514cfd7fc234d44a5b0930ca5c1c8dd133e0ad18127ce5ed1d8a

SHA512
0f6301b74333aad58a0db469690085fc81a8d9d775d584d2964a33bbdf6b83bafe516f47ebc3908d4f266cde3eb620fcf901f31b9ee7d1197db94baf5885ede8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB5BA.tmp\UserInfo.dll

Filesize
7KB

MD5
14526f5953a85912872802ae286a787a

SHA1
ea5815e19b07b4e8f3e197e3f6358138e364f290

SHA256
c224f7da273ee3815e462be08fff79b1435eb6e7733e3d4fea5bd95c9f4b1d26

SHA512
483ae7b8e462403f0f4bab367586f41a3ee5dea18d81da39b9c64eb1b89c8b9c78be547789fca4f26700a7a6c55bd65464737efe50dde6ef191e691ae8080d66

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB5BA.tmp\nsDialogs.dll

Filesize
14KB

MD5
8e7a455526283d46300d394522e59f2b

SHA1
182a511fec4806cc886ce3c8170648411ba841b8

SHA256
2a637a57dfe1d492af5003c03feddf4de34c3e10537a849987efd3465aea59b1

SHA512
3f57012aee8118d9d75b988b14a92191593c59a1c51a76569ff94232b25a5c3dc710f5fe4ccfb717ab32d48d51f0755543dc77e4cbabed68061ad18496126e38

Download Submit
memory/2532-17-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2532-19-0x0000000074960000-0x000000007496C000-memory.dmp

Filesize
48KB

Download
memory/2532-10-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2532-53-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2532-11-0x0000000074D70000-0x0000000074D7C000-memory.dmp

Filesize
48KB

Download
memory/2644-58-0x000000013F230000-0x000000013F3CB000-memory.dmp

Filesize
1.6MB

Download
memory/3020-61-0x000000013F210000-0x000000013F3AB000-memory.dmp

Filesize
1.6MB

Download