b16789b39957db830b1bcd081168b53bb69a05a04096308ec3fdf66084de88ff

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

netduinosdk_v5.exe
Size

10.9MB
MD5

cbe9e16aad21530a3d466920923fb6aa
SHA1

855e3f8c59fd3e52340a086954116782b486fa7f
SHA256

b16789b39957db830b1bcd081168b53bb69a05a04096308ec3fdf66084de88ff
SHA512

0b79a97ceea59d78a7ba2a4469f2a7ea28255aafda5760b73dac0ae4cbbeeeeb265122c4b2c3c60684d1f7302c0742d09b15d057854f061247eccdb08259fd56
SSDEEP

196608:Ggs+DxT0Wvn6julAmYGctDDKuaFCChQfrQTO9UYsLPb+b4EkdrE0W8zPCnlIr9r4:GgsmrKuO5GcxvaFnQf0TOUDzbwzkd/ze

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2316	netduinosdk_v5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netduinosdk_v5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netduinosdk_v5.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30
PID 2128 wrote to memory of 2316	2128	netduinosdk_v5.exe	30

C:\Users\Admin\AppData\Local\Temp\netduinosdk_v5.exe
"C:\Users\Admin\AppData\Local\Temp\netduinosdk_v5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\netduinosdk_v5.exe
  "C:\Users\Admin\AppData\Local\Temp\netduinosdk_v5.exe" -burn.unelevated BurnPipe.{F9F8AE1B-4C05-4E23-B12C-01F958081669} {934A31CE-CE95-482E-88EB-68E489BF3323} 2128
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{32f9c654-67a0-4c81-8ddf-99c80fa21717}\.ba1\logo.png

Filesize
852B

MD5
8346e21859a269dccf1e408dc7593cca

SHA1
239f10674bf6022854c1f1bf7c91955bde34d3e4

SHA256
cd2e8ed1fbb308d9d166f49794d323a9b22efba1033cdf906d1f4b030319e01b

SHA512
de9a54e7067fe4feade10f48d7c2bb4169f50efa0b06d3310421376690712af4d55dbc24dc5accc5013379b11abb59cc8c85896fe9f2a7c6a7ea2e28f6feac9f

Download Submit
\Users\Admin\AppData\Local\Temp\{32f9c654-67a0-4c81-8ddf-99c80fa21717}\.ba1\wixstdba.dll

Filesize
151KB

MD5
6a89f5a4c7bcddae149308454809ec43

SHA1
80993fdf307a74f83295131c091cdd6165a95e9b

SHA256
66a5997e531bfe6c87bc8bebb80b074cf4c4e84739d1158a16fe746ff082063d

SHA512
d6863f73349abf8a240ffc2ed31b921e2e756c02ee73204aa9a6784f047700bc669e3ff2c6650ebf406caa89fe7696fdfe89aee539dfe9d392c3da7103df0f72

Download Submit