Overview

overview

7

Static

static

3

18140aec9d...18.exe

windows7-x64

7

18140aec9d...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$S...4_.exe

windows7-x64

7

$SYSDIR/$S...4_.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMP/$_8_.dll

windows7-x64

6

$TEMP/$_8_.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $SYSDIR/$SYSDIR/$_14_.exe

  • Size

    47KB

  • MD5

    479a89a0977993dba8621d317de95125

  • SHA1

    87051ff038084a4a37ec49f0ffe5978117a3da1d

  • SHA256

    0e957437d9a2579a5e02b84ddb0094c0e3517644ecd5a15716dbeb942b4aeaa8

  • SHA512

    427356c9d5451bb3b9f43a151ade7ad8c4f006ab11bb69f5b59415340cce17286abd4761fc72170825fc7df38a5fc839038e2627b32793a095d83a91ecafe7b1

  • SSDEEP

    768:O1cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJDJRnS5KtMbbX8rDRMMQ05UomKBAg3:MQpQ5EP0ijnRTXJO5V/8/5Q0F+2

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe
    "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsjDAD8.tmp\validate.ini
    Filesize

    457B

    MD5

    6dd30a5511de7a02a96ae4ddf883124b

    SHA1

    072d778655e7f76c09d948f8208c38e371eafc17

    SHA256

    118cca8dd4a33ecde9bcfd744f251870100960066c7534a94154722ed50cb54b

    SHA512

    5625a72168b9ed2336a2a4cba55bb75694eb26e0e3075cf59abb57ab2572f3ceb71c51fdfbee45030b01931659dfefa79deb64404fd1a91a059e9c02971d2943

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjDAD8.tmp\validate.ini
    Filesize

    530B

    MD5

    4ae29f83d25d8e90b6e0b0aa88a7d27f

    SHA1

    3317315169d378b9e068564e12d74f65c5d06785

    SHA256

    745177aa3c0568b82a0bed1779ee4f82ced540d0f757fc9a81f9a44b77a529a5

    SHA512

    b994241435d8ce5cb1bbd65a710a33d8f358cf2234b3667aa3e8e92c636bcffb0d448ef2979e8efce073a7334701940c79c385d59c0b9a007f8177eecb99d246

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    47KB

    MD5

    479a89a0977993dba8621d317de95125

    SHA1

    87051ff038084a4a37ec49f0ffe5978117a3da1d

    SHA256

    0e957437d9a2579a5e02b84ddb0094c0e3517644ecd5a15716dbeb942b4aeaa8

    SHA512

    427356c9d5451bb3b9f43a151ade7ad8c4f006ab11bb69f5b59415340cce17286abd4761fc72170825fc7df38a5fc839038e2627b32793a095d83a91ecafe7b1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjDAD8.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    325b008aec81e5aaa57096f05d4212b5

    SHA1

    27a2d89747a20305b6518438eff5b9f57f7df5c3

    SHA256

    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    SHA512

    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjDAD8.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit