ed214e9a6566a5d8cdd51d9cdb70d62faf96278706faee70d6aa2a4521e0937b

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agenzia/Agenzia.url
Size

198B
MD5

8255e59c6627179ac30097e560a27251
SHA1

6d9450bf771036d2437830ad2c1298a2039c9042
SHA256

ac62dd1a56f4c94f7c8ef5764eefd66a9ddc7fe0d6335d2db15486a7410a1003
SHA512

64472b0984cafb121e9603b13ca14438e9f126e75815e0c4712a110e18fd093015e6c5b06a0f92c7e14abcf10fb9908f38a80818acbeee1f4c7a003f89343d30

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
936	msdt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1732	1976	rundll32.exe	28
PID 1976 wrote to memory of 1732	1976	rundll32.exe	28
PID 1976 wrote to memory of 1732	1976	rundll32.exe	28
PID 1732 wrote to memory of 936	1732	rundll32.exe	29
PID 1732 wrote to memory of 936	1732	rundll32.exe	29
PID 1732 wrote to memory of 936	1732	rundll32.exe	29

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia\Agenzia.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF40.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF40.tmp -ep NetworkDiagnosticsSharing
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:936

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NDF40.tmp

Filesize
2KB

MD5
8de22e4abca392723dfeebfbbc9faad2

SHA1
abe71d09186e64f2fd99d406763a0f77d38d40e0

SHA256
03b7e8c8b7207547d269503665c1f1268cb43c5f8075f3957c77d175fd7ce3e5

SHA512
4e441a0b7703f17c07b28680e203bb094971b68bfe6d84dce7998d17c59cc17814325930b302206aa9e327e0b01e6ce42e1b4187bd68e2175b8e8d4aa50589b3

Download Submit
C:\Windows\TEMP\SDIAG_3912bc50-ce56-4b04-a4f0-0ccc43228c54\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_3912bc50-ce56-4b04-a4f0-0ccc43228c54\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_3912bc50-ce56-4b04-a4f0-0ccc43228c54\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_3912bc50-ce56-4b04-a4f0-0ccc43228c54\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
memory/1140-60-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/1140-61-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmp

Filesize
11.4MB

Download
memory/1140-66-0x000007FEED550000-0x000007FEEE5E6000-memory.dmp

Filesize
16.6MB

Download
memory/1976-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download