916f1b6644b58d164c74b9d5ac14798f1c27958149effdbd85b95709b0d2ad6d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TWEAK NVDIA.exe
Size

11.4MB
MD5

3507038edf6b4f164c5149f39cff11b0
SHA1

720cae8b2c67d7526837f1fd3a44cbcf80ae6dd5
SHA256

916f1b6644b58d164c74b9d5ac14798f1c27958149effdbd85b95709b0d2ad6d
SHA512

c420055bfe38ae687e897ea8e5fba7cf2821ccae21819eb6ce92901b940539c107a2c8ee5c987ce07ebc060b3a008752ea5946a01cc56e45a8937da4c6be73ef
SSDEEP

196608:EG9LuhOZDB08T3uPqG4d1/1wKEIs52FykwcAFRrj5H8o99skweFOGXdaAPj:Lk2DPTX/Ts5JPfrN9s5eFOGoyj

Score

7^/10

discovery execution pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1736	Update.exe
2976	Update.exe
1172	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2524	TWEAK NVDIA.exe
1736	Update.exe
2976	Update.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019c3a-63.dat	upx
behavioral1/memory/2976-67-0x000007FEF6450000-0x000007FEF6A38000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2428	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000015d19-14.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TWEAK NVDIA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 836	2524	TWEAK NVDIA.exe	31
PID 2524 wrote to memory of 836	2524	TWEAK NVDIA.exe	31
PID 2524 wrote to memory of 836	2524	TWEAK NVDIA.exe	31
PID 2524 wrote to memory of 836	2524	TWEAK NVDIA.exe	31
PID 836 wrote to memory of 2040	836	cmd.exe	33
PID 836 wrote to memory of 2040	836	cmd.exe	33
PID 836 wrote to memory of 2040	836	cmd.exe	33
PID 836 wrote to memory of 2040	836	cmd.exe	33
PID 836 wrote to memory of 2124	836	cmd.exe	34
PID 836 wrote to memory of 2124	836	cmd.exe	34
PID 836 wrote to memory of 2124	836	cmd.exe	34
PID 836 wrote to memory of 2124	836	cmd.exe	34
PID 2124 wrote to memory of 2140	2124	cmd.exe	35
PID 2124 wrote to memory of 2140	2124	cmd.exe	35
PID 2124 wrote to memory of 2140	2124	cmd.exe	35
PID 2124 wrote to memory of 2140	2124	cmd.exe	35
PID 2124 wrote to memory of 2024	2124	cmd.exe	36
PID 2124 wrote to memory of 2024	2124	cmd.exe	36
PID 2124 wrote to memory of 2024	2124	cmd.exe	36
PID 2124 wrote to memory of 2024	2124	cmd.exe	36
PID 2524 wrote to memory of 1736	2524	TWEAK NVDIA.exe	37
PID 2524 wrote to memory of 1736	2524	TWEAK NVDIA.exe	37
PID 2524 wrote to memory of 1736	2524	TWEAK NVDIA.exe	37
PID 2524 wrote to memory of 1736	2524	TWEAK NVDIA.exe	37
PID 836 wrote to memory of 2428	836	cmd.exe	38
PID 836 wrote to memory of 2428	836	cmd.exe	38
PID 836 wrote to memory of 2428	836	cmd.exe	38
PID 836 wrote to memory of 2428	836	cmd.exe	38
PID 1736 wrote to memory of 2976	1736	Update.exe	39
PID 1736 wrote to memory of 2976	1736	Update.exe	39
PID 1736 wrote to memory of 2976	1736	Update.exe	39
PID 836 wrote to memory of 2584	836	cmd.exe	40
PID 836 wrote to memory of 2584	836	cmd.exe	40
PID 836 wrote to memory of 2584	836	cmd.exe	40
PID 836 wrote to memory of 2584	836	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\TWEAK NVDIA.exe
"C:\Users\Admin\AppData\Local\Temp\TWEAK NVDIA.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\fltMC.exe
    fltmc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "REG_SZ"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat

Filesize
201KB

MD5
061be0f53c7febeb3e363c867b9c128d

SHA1
3629f358e24dddc04c05fdd4b9899f57a8091286

SHA256
58729cdacc6ce4ea7e168a598fd3e29a1d3d017adbf85badbfb6de818b0de45c

SHA512
d1c520e4565ed492f312e8fe611913f013fe2e05539e42f9185271e8a811b50af8a1cd2e5445959c068c5d4adf1633c06d6a387d3b6cb1fa5c5fa84faff31e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
10.8MB

MD5
325bc1091d3aa90371df0e8f9095ab63

SHA1
28084aa70ddd36fe43e9c2078c5438c5048ab0cb

SHA256
097826ecce3278e1da5f0bee44a75a35ef38ca4c56e1f64c43a40c7b47cd9c17

SHA512
3f67b1bd376f3246900be4c7324e82cc71b3c890a87b76c51ea282d8f04db615435152063405c5ed402c88f44ef75b4c0f4260dd958044f96fb7775b11634996

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17362\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
03d486a0c5d5d36f6ab60a879d64fb7b

SHA1
5d39ac5903df2798ea57ead1d2b9094047dc0482

SHA256
dec324418ae226ac1105a62ff1be6654d9d69b19c0a46f6105740009e448fa90

SHA512
3426fd0aa443142bbbcf7fb6e1d5ae3ceabd9c5265c1d938a868c49b30714dbcb294f2de1cb66f9a34ae56de73f23e8b7ae89e324f80b40c1d6696edecc11c98

Download Submit
memory/2976-67-0x000007FEF6450000-0x000007FEF6A38000-memory.dmp

Filesize
5.9MB

Download