Overview
overview
10Static
static
10Bird.exe
windows7-x64
10Bird.exe
windows10-2004-x64
10Crystal.exe
windows7-x64
10Crystal.exe
windows10-2004-x64
10Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10Minecraft_v4.4.exe
windows7-x64
10Minecraft_v4.4.exe
windows10-2004-x64
10NewHacks.exe
windows7-x64
10NewHacks.exe
windows10-2004-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Software p....5.exe
windows7-x64
9Software p....5.exe
windows10-2004-x64
9file3.exe
windows7-x64
8file3.exe
windows10-2004-x64
8forcenitro2.4.1.exe
windows7-x64
7forcenitro2.4.1.exe
windows10-2004-x64
7nitro_gen.exe
windows7-x64
10nitro_gen.exe
windows10-2004-x64
10Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 04:18
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v2004-20241007-en
General
-
Target
file3.exe
-
Size
743KB
-
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a
-
SHA1
4736a94c30917e695ebf58f674632575e383d571
-
SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
-
SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6
-
SSDEEP
12288:pY20AljdZgBPfKf8+QxAogJfqsUsz0cX0eqUW7Yo63X7ZqNFi2fMM7Ms:e20gPgFKU+QxAVBbIcXT07YoCSNhp
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2816 attrib.exe -
Executes dropped EXE 2 IoCs
pid Process 2796 Sgsmmodul.com 2844 mmscx.exe -
Loads dropped DLL 3 IoCs
pid Process 2612 cmd.exe 2804 cmd.exe 2804 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmscx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sgsmmodul.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Delays execution with timeout.exe 5 IoCs
pid Process 2008 timeout.exe 2228 timeout.exe 2832 timeout.exe 1972 timeout.exe 2884 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2004 taskkill.exe 1692 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 1692 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2180 wrote to memory of 2704 2180 file3.exe 30 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2704 wrote to memory of 2612 2704 WScript.exe 31 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2884 2612 cmd.exe 33 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2796 2612 cmd.exe 34 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2008 2612 cmd.exe 35 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2964 2612 cmd.exe 36 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2612 wrote to memory of 2228 2612 cmd.exe 37 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2964 wrote to memory of 2804 2964 WScript.exe 38 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2816 2804 cmd.exe 40 PID 2804 wrote to memory of 2832 2804 cmd.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2816 attrib.exe 2012 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file3.exe"C:\Users\Admin\AppData\Local\Temp\file3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\NSpack\updIns\44t.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2884
-
-
C:\NSpack\updIns\Sgsmmodul.com"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2008
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\NSpack\updIns\gg4359.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\NSpack\updIns"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2816
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2832
-
-
C:\NSpack\updIns\mmscx.exemmscx.exe /start6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\NSpack\updIns"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2012
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1972
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2228
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
315B
MD596c69dbc1233bfa7c5e883658e0758d4
SHA1613179fa74db9e71516bdb3a93341e9d90c4ecba
SHA256deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde
SHA51243d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3
-
Filesize
255KB
MD5fbd467e1613c53b03376e987f3dbf2da
SHA1e2ca3ff625122f49e8a382dee32d0ca2f98648bf
SHA256cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68
SHA512e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05
-
Filesize
872B
MD5b4be21a8f4bb91b11ccaf08b39b679d5
SHA1b3da567bb1072168b54866ee29301bde61bdc45e
SHA25635e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d
SHA512a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c
-
Filesize
104B
MD56a551928353982ab64107a4929c91c91
SHA1b68ee5e77a722638f184d0fbf6a4834bb8cc188e
SHA2560281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3
SHA512870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d
-
Filesize
91B
MD5bdc0fb5cada9a89f074961224aaf4e63
SHA19284fe4ecc0fde705fc596dd89191c02915fd7a4
SHA256b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db
SHA51283cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28
-
Filesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
Filesize
593KB
MD53e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90