Overview

overview

7

Static

static

3

b2c10de5a8...a3.exe

windows7-x64

7

b2c10de5a8...a3.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$SYSDIR/NX...KF.dll

windows7-x64

3

$SYSDIR/NX...KF.dll

windows10-2004-x64

3

$SYSDIR/NXYUKEY.dll

windows7-x64

3

$SYSDIR/NXYUKEY.dll

windows10-2004-x64

3

$SYSDIR/NX...HB.dll

windows7-x64

3

$SYSDIR/NX...HB.dll

windows10-2004-x64

3

$SYSDIR/NX...HB.dll

windows7-x64

3

$SYSDIR/NX...HB.dll

windows10-2004-x64

3

$WINDIR/sy...64.dll

windows7-x64

1

$WINDIR/sy...64.dll

windows10-2004-x64

1

$WINDIR/sy...EY.dll

windows7-x64

7

$WINDIR/sy...EY.dll

windows10-2004-x64

7

$WINDIR/sy...HB.dll

windows7-x64

7

$WINDIR/sy...HB.dll

windows10-2004-x64

7

$WINDIR/sy...HB.dll

windows7-x64

1

$WINDIR/sy...HB.dll

windows10-2004-x64

1

NXYCSP_82_HB.dll

windows7-x64

3

NXYCSP_82_HB.dll

windows10-2004-x64

3

NXYCSP_82_HB0409.dll

windows7-x64

1

NXYCSP_82_HB0409.dll

windows10-2004-x64

1

NXYCSP_82_HB0804.chm

windows7-x64

1

NXYCSP_82_HB0804.chm

windows10-2004-x64

1

NXYCSP_82_HB0C04.dll

windows7-x64

1

NXYCSP_82_HB0C04.dll

windows10-2004-x64

1

NXYCSP_82_HB64.dll

windows7-x64

1

NXYCSP_82_HB64.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2c10de5a8d8ce2f4ec23f8a52a61cdfb08f33a0e0738891c8b84eb9f2972ca3.exe

  • Size

    755KB

  • MD5

    e6130e00b6c86753b9f94ddb6d4a1eeb

  • SHA1

    8a80ca1905f3727bb359a7f7408efd0c72579425

  • SHA256

    b2c10de5a8d8ce2f4ec23f8a52a61cdfb08f33a0e0738891c8b84eb9f2972ca3

  • SHA512

    61341a02ab0c67d364aafed4878aea2392d4922f1d712e61aabd6cf8627845e178c8655c06dbcfabbb24e77a5e5f8834094bc874f77a4d8b09945d31bc81beb5

  • SSDEEP

    12288:nSakcarsQeQzb6bn7V0S2dc864XRYUVkaNumwFrCcplljtqKHfU3lC9LA6+w4oi1:SahceqG3V0c864CFawmwFmklUlCXQ

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2c10de5a8d8ce2f4ec23f8a52a61cdfb08f33a0e0738891c8b84eb9f2972ca3.exe
    "C:\Users\Admin\AppData\Local\Temp\b2c10de5a8d8ce2f4ec23f8a52a61cdfb08f33a0e0738891c8b84eb9f2972ca3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32" "C:\Program Files (x86)\NXY_82_69_03\NXYCSP_82_HB64.dll" /s
      2⤵
      • Loads dropped DLL
      PID:1932
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32" "C:\Windows\system32\NXYUKEY.dll" /s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3040
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32" "C:\Windows\system32\NXYUKEY_HB.dll" /s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\NXY_82_69_03\NXYCSP_82_HB64.dll
    Filesize

    12KB

    MD5

    5929187aa274b1e4d772262f81052080

    SHA1

    719cb9425bc08fb4f8bfc6aa3e3579f55354ee42

    SHA256

    6728dc8495b2939043ca362504435b777942f9348379353be1d25e98d01c6d0a

    SHA512

    ebcd6dc98a82bb0770da4374680de1dc3c289c1459b8ebcf75f492c09e2d4b44057f4411ff1a5e52a347ab301a074d86858864cabe8f083b6dd6e5c397cc9433

    Download Submit

  • C:\Program Files (x86)\NXY_82_69_03\NXYCSP_82_HB64.sig
    Filesize

    136B

    MD5

    e18ff8cebdb87b5216dbd029bee2daa1

    SHA1

    627d7b1cba663c45e18551fd0a5fa21108e93d67

    SHA256

    d7d138300109d51db45c5163ec570e665b89de984acb8342d2a265a1ada499a7

    SHA512

    a89f2cf2fb6296002af6cfeffcf2a2ac8bb9d0c57c97496e365b1c42a4093e55222ce0505a274cd9a6eb6bcf63bbb6017b21c729eb123d92cc241c0b6e35e1e1

    Download Submit

  • C:\Program Files (x86)\NXY_82_69_03\NXYCSP_82_HB64C.dll
    Filesize

    667KB

    MD5

    1744bdd65ce42f41a03b4aedcfcc666d

    SHA1

    8b5b72a55154c4f2141bebbfad58405880f859af

    SHA256

    3aaa664fee4952f83eb7e54cf2c97fcfbc4c5341a270514bb7448e362ca842d6

    SHA512

    1a4499078597030624512d496d2394640526f5ceeccd394c9dfc44eea5a59809cf5164cf54d54d47382414cd88f9ad8044bfe720e8bc0854b911b2977e33c20d

    Download Submit

  • C:\Program Files (x86)\NXY_82_69_03\NXYCSP_82_HBs.ini
    Filesize

    323B

    MD5

    09a5cb4a318eaec6f29aa2a05504c928

    SHA1

    be16010901adceb3876e34c497de3da326521ef4

    SHA256

    810b53fe6fadba8d5708f5faa7b26e762d18c5a10a03eba2399a2609b033ba6c

    SHA512

    259569f9ee9bc00e3c502a62aabb49b7c2da9a6ef479e7b2576cd2d9c61ddde42fe8f7b7bedf9edcbcb9dcf2be217250f7e87f79b5c5c691a84e58e6540feb46

    Download Submit

  • C:\Windows\system32\NXYUKEY_HB.dll
    Filesize

    91KB

    MD5

    82a23c02d57f07adfe7fe69a536f6ea3

    SHA1

    b5e11c64e501167e622575a7e34a675b5b00c87e

    SHA256

    9b37915a09f0f3ef563ef633cd3426f65a4e16c3282893f7c5a09f63d5a75978

    SHA512

    8ef0719346ec62bf631beaa0b87356f0969563875d4886570eb3bab60dc11933ad705bc60e6d1c5645fccf1b4a982461eabf6cfc070d9d7df9342573a01f1870

    Download Submit

  • \Program Files (x86)\NXY_82_69_03\NXYCSP_82_HB.dll
    Filesize

    28KB

    MD5

    f2abd84a39db0674a33aac93ed5fa1e5

    SHA1

    fe7482ce81e30c613da289cc837a2707a12cbd4f

    SHA256

    fb8d50a181b25850a525cb2139be09657fc76b72ae18e1dce4f309fbb2d816ed

    SHA512

    b9f8cdf6de4b0de78d6d73d8e4fa0879c670cd349ecb3e338cdc3ce6f9ae22612539efa0452d9c9b21779aef3ba5cfefa4848f3c9a4274829f61bc82fd185f0e

    Download Submit

  • \Program Files (x86)\NXY_82_69_03\NXYCSP_82_HBc.dll
    Filesize

    644KB

    MD5

    4b9f92d210851567f1a0dabf964afc9d

    SHA1

    7f3e8daf7ceae11b2ff5db471c17d4b15748b1b8

    SHA256

    f345056eefb0a995e294f5753b832d1e01f09c5a6b5f9f58bbafb1e42c2bbd76

    SHA512

    40f95997a3cc45551b5ca45061060a319a9f74648cae501989e954178890a4731acff594275021f0f5f3d439087f06e01e285cec920ccf2e6d98793069ade740

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj36DB.tmp\System.dll
    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj36DB.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    2f69afa9d17a5245ec9b5bb03d56f63c

    SHA1

    e0a133222136b3d4783e965513a690c23826aec9

    SHA256

    e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

    SHA512

    bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

    Download Submit

  • \Windows\SysWOW64\NXYUKEY.dll
    Filesize

    46KB

    MD5

    9056181bf1e131ea1fbe79bc30182c0b

    SHA1

    f5a863efb9a7dc7ff4058f7def7d1290d9f01262

    SHA256

    4d033559167e53accb8224937c16f319bcb270fca3cfbdbd52218d9e7e0e9d9d

    SHA512

    7c5ddb04e2254b938269269239c6c3d5fda3763c4ba9c9324c9ffff96120ceb56dd75e71b167977971408292c683df4c921a370f991ceddbfd354f9fef5e105f

    Download Submit

  • \Windows\SysWOW64\NXYUKEY_HB.dll
    Filesize

    74KB

    MD5

    17f390de566bbc388bca8ea0e1d39fbd

    SHA1

    6f07a83dad22a592cb252a6dfdeef43581603df8

    SHA256

    4098bb76fdc46e47c981b645eef1234f7981fcaea69e9c8809f705f277995d9c

    SHA512

    5954809a23fbc21c9c621473e27faa4cf4460a5c712608492887333dda84aba041ec4394f45ac2593703f0a4db7625c2d63be65f263c1cd0a9dc904d3e047aa1

    Download Submit

  • \Windows\System32\NXYUKEY.dll
    Filesize

    286KB

    MD5

    5cfd956fb55139037cc266dca90e436d

    SHA1

    30255bc7ec0e0d70f7717cc0a7ba1d17d0ab2a85

    SHA256

    7553dc9faf7b6cee3d694d266b04adb1350b0d7bf7186bde779bda304d511dda

    SHA512

    0f4f52927b9f3e0af480f8aeb52f6bc9df7a8ed1687536b29bd5162d3d9346274af3cab3792a635d73966aae5c3766e82b2299463702278311172e45832bcb7f

    Download Submit

  • memory/1932-83-0x0000000001DD0000-0x0000000001E7A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2700-36-0x0000000003FA0000-0x0000000004040000-memory.dmp

    Filesize

    640KB

    Download