Overview
overview
10Static
static
39eb87c0b29...24.exe
windows7-x64
109eb87c0b29...24.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Areas/page111.ps1
windows7-x64
3Areas/page111.ps1
windows10-2004-x64
3NACAH.exe
windows7-x64
1NACAH.exe
windows10-2004-x64
3Nacah_Manu...EN.pdf
windows7-x64
3Nacah_Manu...EN.pdf
windows10-2004-x64
3WAVMIX32.dll
windows7-x64
3WAVMIX32.dll
windows10-2004-x64
3a.dll
windows7-x64
10a.dll
windows10-2004-x64
10setupwin2kXP.bat
windows7-x64
5setupwin2kXP.bat
windows10-2004-x64
5setupwin9x.bat
windows7-x64
4setupwin9x.bat
windows10-2004-x64
4Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 02:40
Behavioral task
behavioral1
Sample
9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Areas/page111.ps1
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Areas/page111.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NACAH.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NACAH.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Nacah_Manual_Win_EN.pdf
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Nacah_Manual_Win_EN.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
WAVMIX32.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
WAVMIX32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
a.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
a.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setupwin2kXP.bat
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
setupwin2kXP.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setupwin9x.bat
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
setupwin9x.bat
Resource
win10v2004-20241007-en
General
-
Target
a.dll
-
Size
16KB
-
MD5
d7a5aa9937568b1e34ad845c67d59024
-
SHA1
f56692fce5147afd558df4b9be45490155f9dae5
-
SHA256
41794b5b46fb063d7e934eef590f059fa8e6875aff628adcf85b8449f7d3b027
-
SHA512
5313ec50eceaf024bda3dd0e1893de660b3dd3b9c21251293122e155d2578bd943f33e6766606f28583c1e44433aa2da38bfe650ebae192eea7e2f40dfa4810f
-
SSDEEP
192:C7KSdtf/wB7vzXDe3mt+D69mdzfYluDDDDDDDDDDDDDDDDDDD+yMsuyK32BQ2fAi:CeUnwB7XV1ddD2BJfA
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2392 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2664 eliF26D.tmp -
Loads dropped DLL 3 IoCs
pid Process 1248 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecEdit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 2676 timeout.exe 2796 timeout.exe 2592 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2392 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2392 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 2320 wrote to memory of 1248 2320 rundll32.exe 31 PID 1248 wrote to memory of 2392 1248 rundll32.exe 32 PID 1248 wrote to memory of 2392 1248 rundll32.exe 32 PID 1248 wrote to memory of 2392 1248 rundll32.exe 32 PID 1248 wrote to memory of 2392 1248 rundll32.exe 32 PID 1248 wrote to memory of 1904 1248 rundll32.exe 34 PID 1248 wrote to memory of 1904 1248 rundll32.exe 34 PID 1248 wrote to memory of 1904 1248 rundll32.exe 34 PID 1248 wrote to memory of 1904 1248 rundll32.exe 34 PID 1904 wrote to memory of 2752 1904 cscript.exe 36 PID 1904 wrote to memory of 2752 1904 cscript.exe 36 PID 1904 wrote to memory of 2752 1904 cscript.exe 36 PID 1904 wrote to memory of 2752 1904 cscript.exe 36 PID 2752 wrote to memory of 2676 2752 cmd.exe 38 PID 2752 wrote to memory of 2676 2752 cmd.exe 38 PID 2752 wrote to memory of 2676 2752 cmd.exe 38 PID 2752 wrote to memory of 2676 2752 cmd.exe 38 PID 2752 wrote to memory of 2980 2752 cmd.exe 39 PID 2752 wrote to memory of 2980 2752 cmd.exe 39 PID 2752 wrote to memory of 2980 2752 cmd.exe 39 PID 2752 wrote to memory of 2980 2752 cmd.exe 39 PID 2752 wrote to memory of 2796 2752 cmd.exe 40 PID 2752 wrote to memory of 2796 2752 cmd.exe 40 PID 2752 wrote to memory of 2796 2752 cmd.exe 40 PID 2752 wrote to memory of 2796 2752 cmd.exe 40 PID 1248 wrote to memory of 2664 1248 rundll32.exe 41 PID 1248 wrote to memory of 2664 1248 rundll32.exe 41 PID 1248 wrote to memory of 2664 1248 rundll32.exe 41 PID 1248 wrote to memory of 2664 1248 rundll32.exe 41 PID 1248 wrote to memory of 2672 1248 rundll32.exe 42 PID 1248 wrote to memory of 2672 1248 rundll32.exe 42 PID 1248 wrote to memory of 2672 1248 rundll32.exe 42 PID 1248 wrote to memory of 2672 1248 rundll32.exe 42 PID 2672 wrote to memory of 2592 2672 cmd.exe 44 PID 2672 wrote to memory of 2592 2672 cmd.exe 44 PID 2672 wrote to memory of 2592 2672 cmd.exe 44 PID 2672 wrote to memory of 2592 2672 cmd.exe 44
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#12⤵
- Modifies Windows Defender notification settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:TEMP3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\anbEC63.tmp.vbs //B //Nologo //T:53⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2676
-
-
C:\Windows\SysWOW64\SecEdit.exesecedit /import /db C:\Users\Admin\AppData\Local\Temp\secuserpol5765.db /cfg C:\Users\Admin\AppData\Local\Temp\secuserpol5765.cfg5⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\eliF26D.tmpC:\Users\Admin\AppData\Local\Temp\eliF26D.tmp C:\Users\Admin\AppData\Local\Temp\lxrF26C.tmp3⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C "timeout 1 && del /Q /F a"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386B
MD50a1c237316e11ec81b1df21773710c40
SHA13eb16f259114b6a4f5ef5b7f3721dc6dcb06f7bc
SHA2561cf290b40445860679be3bed68c03a0e555c7a3fa91aba8c216a34cc345a4dbe
SHA51257004762360c0f74f5d797b7e5d7a56e8ae9090bff9121baa49912717cf919d136508ecf71ca1702549e85e20a4ba15769ef87b8a838e00e8e2542fdb25d9b2d
-
Filesize
6KB
MD5ac61560a8f57ad2dfd91e63aa3dc60f1
SHA17e797ddb74ae5fb43190d799334555430f302704
SHA256188f350da1f06a9a10ad9da6120aed854a8108977241d6b9a445a09fdd7f7cda
SHA512bc7bcc661c64e4f0f27c5bf07c0e5ea450e99b602bca17846ec6536675c16632a50c84aba679cfa933bd488994e90dfda7dc28d9254b0eeb3e05efd18767e755
-
Filesize
475B
MD5c5148520a262094d3cf9155a4f6c6b51
SHA1dcd5cb466c4b625d4dd49d3ff89b766c539b6dee
SHA256ae674f232bf01c2fc7d1fdd88bdf3136261bb8b9733d7d2047981909a6913f9f
SHA512aa34638a57240691ef93ff5d3bc593cfd8995868b94c52b862ff8820059837c4fb2c90b602894a6a0fc6c7cf9876fa8f10dbf5f15400f2f522546747da089924
-
Filesize
58KB
MD51525bb483c55784d134e3bd3dc447b54
SHA12decac84434ceda70ac31c6285b2b234a911a999
SHA25614f60bf6d8700c82b426a6f724ee51c97b342a9a85dacd4ab7422a8c4961a099
SHA512d0db58a59c69f52ec3924120d3833e7a8ced70488513b89c3e7854568edbc447f405e7e3af425f4c3024275b29ef0eb13b836a0922328dcdeb1a0100d3c115ed