563447dc5e79ab2311f2d59498f791d6515cc97c2cecc47c6cec51f9089ed0b9

Resubmissions

21-11-2024 19:00

241121-xn2ysavmft 7

21-11-2024 18:39

241121-xa5gravles 7

Analysis

max time kernel
116s
max time network
72s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CurseForge - Installer.exe
Size

2.1MB
MD5

afb3a25705d6a0fc8c7f576a67576de8
SHA1

f88f3b115d039fa390069caa70f81859a0de71b8
SHA256

563447dc5e79ab2311f2d59498f791d6515cc97c2cecc47c6cec51f9089ed0b9
SHA512

02e9994a48b45250840e712e18a413aa60837373d1d13d33940c4d3b1d855573198e82c9e6975d3073279bd5f763ffd8311392e7b57fb56becaf6d6466f83a1d
SSDEEP

49152:tvLU43exE87vxpsrFpIvFbJo+McPe38sD9YOcNHxicbx:tzU43QPN+TIvFby0eM6iODk

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

CurseForge - Installer.exe

pid	process
2336	CurseForge - Installer.exe
2336	CurseForge - Installer.exe
2336	CurseForge - Installer.exe
2336	CurseForge - Installer.exe
2336	CurseForge - Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

CurseForge - Installer.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CurseForge - Installer.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1264 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2972 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2972 powershell.exe
Token: SeDebugPrivilege 1264 taskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CurseForge - Installer.exe

pid	process
1264	taskkill.exe

pid	process
2972	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1264	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2972 wrote to memory of 1264	2972	powershell.exe	taskkill.exe
PID 2972 wrote to memory of 1264	2972	powershell.exe	taskkill.exe
PID 2972 wrote to memory of 1264	2972	powershell.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\CurseForge - Installer.exe
"C:\Users\Admin\AppData\Local\Temp\CurseForge - Installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2272

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoACF3.tmp\INetC.dll

Filesize
34KB

MD5
87050902acf23fa5aa6d6aa61703db97

SHA1
d5555e17151540095a8681cd892b79bce8246832

SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750

SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

Download Submit
\Users\Admin\AppData\Local\Temp\nsoACF3.tmp\System.dll

Filesize
21KB

MD5
51bd16a2ea23ae1e7a92cedc6785c82e

SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c

SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33

SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

Download Submit
\Users\Admin\AppData\Local\Temp\nsoACF3.tmp\UserInfo.dll

Filesize
14KB

MD5
1dd4ca0f4a94155f8d46ec95a20ada4a

SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81

SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d

SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoACF3.tmp\uac.dll

Filesize
24KB

MD5
861f7e800bb28f68927e65719869409c

SHA1
a12bfcd2b9950e758ead281a9afbf1895bf10539

SHA256
10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010

SHA512
f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

Download Submit
\Users\Admin\AppData\Local\Temp\nsoACF3.tmp\utils.dll

Filesize
58KB

MD5
c6b46a5fcdccbf3aeff930b1e5b383d4

SHA1
6d5a8e08de862b283610bad2f6ce44936f439821

SHA256
251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0

SHA512
97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

Download Submit
memory/2972-317-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2972-316-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmp

Filesize
4KB

Download
memory/2972-319-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2972-318-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2972-320-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2972-321-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2972-322-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download
memory/2972-323-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmp

Filesize
4KB

Download
memory/2972-324-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Filesize
9.6MB

Download