Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 21:50

General

  • Target

    d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe

  • Size

    90KB

  • MD5

    f50262fa3d9465a6c3a30bc59e2ba200

  • SHA1

    37ac287ff0bf4c5f6d3a174be95d6b76b71c0ff6

  • SHA256

    d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502a

  • SHA512

    5be09a7ba82557c834eb71a245b92e1e6d9a6ab2aabea0dd39e8120a9f2ab54046aec13ffa39943935c52ca52f060f61e9253a494101a0d810bf9dbc4cf8aaa6

  • SSDEEP

    1536:vICQCfd/UV2FyVw4zp6G5XKy1E6w8J52gw0JNqyFzWu9W5uyWZ07M:v1t1E2FyVw4zINy1FxJ5y07qluM5A

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
    "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4144
      • C:\Users\Admin\AppData\Local\Temp\nrino.exe
        C:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1988
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\ugexdi\hoazt.ozh",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\nrino.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2420
          • \??\c:\windows\SysWOW64\taskkill.exe
            taskkill /f /im attrib.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nrino.exe

    Filesize

    90KB

    MD5

    79bbc920e4f4c339f1380ba7eab424ed

    SHA1

    f7408c4fa82e39251f622fe9bdfd24c93d01d8ee

    SHA256

    f64c18f4166e1ebb82a9dd708a79d78dcbdd5bce7a4b715363f9aa88b5dd28f4

    SHA512

    f1805041c21d3dbfcb478b1ac9935c7b0699f1c199194f735f538e6884a2ec8e698e772fa37f6cdfab494b8e063d8171a123299be9ae3ea2abc43efbb7aa3eb3

  • \??\c:\ugexdi\hoazt.ozh

    Filesize

    52KB

    MD5

    4b27ac9d5bcf039b63d01e808de1ab3e

    SHA1

    e5cf9870ce6cb7869b0b27e7115f886ca10241aa

    SHA256

    592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91

    SHA512

    5f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e

  • memory/1988-6-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB

  • memory/1988-9-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB

  • memory/2420-12-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2420-13-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2420-15-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2420-18-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/3288-0-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB

  • memory/3288-2-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB