Overview
overview
10Static
static
39eb87c0b29...24.exe
windows7-x64
109eb87c0b29...24.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Areas/page111.ps1
windows7-x64
3Areas/page111.ps1
windows10-2004-x64
3NACAH.exe
windows7-x64
1NACAH.exe
windows10-2004-x64
3Nacah_Manu...EN.pdf
windows7-x64
3Nacah_Manu...EN.pdf
windows10-2004-x64
3WAVMIX32.dll
windows7-x64
3WAVMIX32.dll
windows10-2004-x64
3a.dll
windows7-x64
10a.dll
windows10-2004-x64
10setupwin2kXP.bat
windows7-x64
5setupwin2kXP.bat
windows10-2004-x64
5setupwin9x.bat
windows7-x64
4setupwin9x.bat
windows10-2004-x64
4Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:40
Behavioral task
behavioral1
Sample
9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9eb87c0b29794234739b1fb08248b355eff2d7f73896186052c14894a49ab424.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Areas/page111.ps1
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Areas/page111.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NACAH.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NACAH.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Nacah_Manual_Win_EN.pdf
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Nacah_Manual_Win_EN.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
WAVMIX32.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
WAVMIX32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
a.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
a.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setupwin2kXP.bat
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
setupwin2kXP.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setupwin9x.bat
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
setupwin9x.bat
Resource
win10v2004-20241007-en
General
-
Target
a.dll
-
Size
16KB
-
MD5
d7a5aa9937568b1e34ad845c67d59024
-
SHA1
f56692fce5147afd558df4b9be45490155f9dae5
-
SHA256
41794b5b46fb063d7e934eef590f059fa8e6875aff628adcf85b8449f7d3b027
-
SHA512
5313ec50eceaf024bda3dd0e1893de660b3dd3b9c21251293122e155d2578bd943f33e6766606f28583c1e44433aa2da38bfe650ebae192eea7e2f40dfa4810f
-
SSDEEP
192:C7KSdtf/wB7vzXDe3mt+D69mdzfYluDDDDDDDDDDDDDDDDDDD+yMsuyK32BQ2fAi:CeUnwB7XV1ddD2BJfA
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" rundll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2236 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 3612 nqpD545.tmp -
Loads dropped DLL 1 IoCs
pid Process 3928 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2720 timeout.exe 2816 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2236 powershell.exe 2236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2236 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3872 wrote to memory of 3928 3872 rundll32.exe 88 PID 3872 wrote to memory of 3928 3872 rundll32.exe 88 PID 3872 wrote to memory of 3928 3872 rundll32.exe 88 PID 3928 wrote to memory of 2236 3928 rundll32.exe 89 PID 3928 wrote to memory of 2236 3928 rundll32.exe 89 PID 3928 wrote to memory of 2236 3928 rundll32.exe 89 PID 3928 wrote to memory of 2212 3928 rundll32.exe 90 PID 3928 wrote to memory of 2212 3928 rundll32.exe 90 PID 3928 wrote to memory of 2212 3928 rundll32.exe 90 PID 2212 wrote to memory of 316 2212 cscript.exe 94 PID 2212 wrote to memory of 316 2212 cscript.exe 94 PID 2212 wrote to memory of 316 2212 cscript.exe 94 PID 316 wrote to memory of 2720 316 cmd.exe 96 PID 316 wrote to memory of 2720 316 cmd.exe 96 PID 316 wrote to memory of 2720 316 cmd.exe 96 PID 3928 wrote to memory of 3612 3928 rundll32.exe 97 PID 3928 wrote to memory of 3612 3928 rundll32.exe 97 PID 3928 wrote to memory of 1712 3928 rundll32.exe 100 PID 3928 wrote to memory of 1712 3928 rundll32.exe 100 PID 3928 wrote to memory of 1712 3928 rundll32.exe 100 PID 1712 wrote to memory of 2816 1712 cmd.exe 102 PID 1712 wrote to memory of 2816 1712 cmd.exe 102 PID 1712 wrote to memory of 2816 1712 cmd.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#12⤵
- Modifies Windows Defender notification settings
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:TEMP3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\SysWOW64\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\gapCE1E.tmp.vbs //B //Nologo //T:53⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2720
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nqpD545.tmpC:\Users\Admin\AppData\Local\Temp\nqpD545.tmp C:\Users\Admin\AppData\Local\Temp\iwqD544.tmp3⤵
- Executes dropped EXE
PID:3612
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C "timeout 1 && del /Q /F a"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD51525bb483c55784d134e3bd3dc447b54
SHA12decac84434ceda70ac31c6285b2b234a911a999
SHA25614f60bf6d8700c82b426a6f724ee51c97b342a9a85dacd4ab7422a8c4961a099
SHA512d0db58a59c69f52ec3924120d3833e7a8ced70488513b89c3e7854568edbc447f405e7e3af425f4c3024275b29ef0eb13b836a0922328dcdeb1a0100d3c115ed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
386B
MD50a1c237316e11ec81b1df21773710c40
SHA13eb16f259114b6a4f5ef5b7f3721dc6dcb06f7bc
SHA2561cf290b40445860679be3bed68c03a0e555c7a3fa91aba8c216a34cc345a4dbe
SHA51257004762360c0f74f5d797b7e5d7a56e8ae9090bff9121baa49912717cf919d136508ecf71ca1702549e85e20a4ba15769ef87b8a838e00e8e2542fdb25d9b2d
-
Filesize
475B
MD5c5148520a262094d3cf9155a4f6c6b51
SHA1dcd5cb466c4b625d4dd49d3ff89b766c539b6dee
SHA256ae674f232bf01c2fc7d1fdd88bdf3136261bb8b9733d7d2047981909a6913f9f
SHA512aa34638a57240691ef93ff5d3bc593cfd8995868b94c52b862ff8820059837c4fb2c90b602894a6a0fc6c7cf9876fa8f10dbf5f15400f2f522546747da089924
-
Filesize
6KB
MD5ac61560a8f57ad2dfd91e63aa3dc60f1
SHA17e797ddb74ae5fb43190d799334555430f302704
SHA256188f350da1f06a9a10ad9da6120aed854a8108977241d6b9a445a09fdd7f7cda
SHA512bc7bcc661c64e4f0f27c5bf07c0e5ea450e99b602bca17846ec6536675c16632a50c84aba679cfa933bd488994e90dfda7dc28d9254b0eeb3e05efd18767e755
-
Filesize
104B
MD55f21b391cba1bde137694df8db69cf0f
SHA1bf409326a188f60a664c977e9fbe8ca242032bbf
SHA2567088b0827081ca44062e696bac6a2c0e4922d2513d491bbeafbed142ec9b9cc1
SHA5124423b855b38fb68a7e6e1405f57c92aa48fc378b529d0633063474e20b90018bde3850abac16212b705e021901bfd1141694d30cb85a703476e270b491d43897