Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 04:18

General

  • Target

    file3.exe

  • Size

    743KB

  • MD5

    4d4bc0c39fc901c1a86ef43fc3bf189a

  • SHA1

    4736a94c30917e695ebf58f674632575e383d571

  • SHA256

    1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

  • SHA512

    62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

  • SSDEEP

    12288:pY20AljdZgBPfKf8+QxAogJfqsUsz0cX0eqUW7Yo63X7ZqNFi2fMM7Ms:e20gPgFKU+QxAVBbIcXT07YoCSNhp

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 5 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file3.exe
    "C:\Users\Admin\AppData\Local\Temp\file3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\NSpack\updIns\44t.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2884
        • C:\NSpack\updIns\Sgsmmodul.com
          "Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2796
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2008
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\NSpack\updIns\gg4359.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\NSpack\updIns"
              6⤵
              • Sets file to hidden
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:2816
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2832
            • C:\NSpack\updIns\mmscx.exe
              mmscx.exe /start
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2844
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2004
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1692
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\NSpack\updIns"
              6⤵
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:2012
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:1972
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\NSpack\updIns\44t.bat

    Filesize

    315B

    MD5

    96c69dbc1233bfa7c5e883658e0758d4

    SHA1

    613179fa74db9e71516bdb3a93341e9d90c4ecba

    SHA256

    deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

    SHA512

    43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

  • C:\NSpack\updIns\dc.isi

    Filesize

    255KB

    MD5

    fbd467e1613c53b03376e987f3dbf2da

    SHA1

    e2ca3ff625122f49e8a382dee32d0ca2f98648bf

    SHA256

    cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

    SHA512

    e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

  • C:\NSpack\updIns\gg4359.bat

    Filesize

    872B

    MD5

    b4be21a8f4bb91b11ccaf08b39b679d5

    SHA1

    b3da567bb1072168b54866ee29301bde61bdc45e

    SHA256

    35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

    SHA512

    a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

  • C:\NSpack\updIns\sevenup.vbs

    Filesize

    104B

    MD5

    6a551928353982ab64107a4929c91c91

    SHA1

    b68ee5e77a722638f184d0fbf6a4834bb8cc188e

    SHA256

    0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

    SHA512

    870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

  • C:\NSpack\updIns\tetracom.vbs

    Filesize

    91B

    MD5

    bdc0fb5cada9a89f074961224aaf4e63

    SHA1

    9284fe4ecc0fde705fc596dd89191c02915fd7a4

    SHA256

    b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

    SHA512

    83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

  • \NSpack\updIns\Sgsmmodul.com

    Filesize

    551KB

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • \NSpack\updIns\mmscx.exe

    Filesize

    593KB

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • memory/2804-43-0x0000000000180000-0x00000000001E7000-memory.dmp

    Filesize

    412KB

  • memory/2804-42-0x0000000000180000-0x00000000001E7000-memory.dmp

    Filesize

    412KB

  • memory/2844-45-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB