f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807

Analysis

max time kernel
129s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
Size

3.3MB
MD5

9528365e5ad2dc971e3d5b0ed038359b
SHA1

e7646d140b23b7c64a7f7443125e868f26a49923
SHA256

f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807
SHA512

998b6a1f22a8731b1bad6916b4c563db96c53066d9151a8894f70db2618e275f18ad19c4f6460c304d36e8aaa3be0131aac6d89b3f341eb06940e9c6c40d7362
SSDEEP

49152:ZVKaJnEJpl/QEQhERjU749aDWiV8QF5c+BJQO8A/eS7PpaHlt9zZv6mK3KeLw8QN:/KaJsl/Qh6U7AiV8u5c4lZpqdUL8N

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe

C:\Users\Admin\AppData\Local\Temp\f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe
"C:\Users\Admin\AppData\Local\Temp\f9b565ac12bd2dd8b8cbd9bcb73c5b6e7138f00e0fa5534de36066fe591df807.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst1097.tmp\IpConfig.dll

Filesize
621KB

MD5
2419181d395587973220f2a9920db3bc

SHA1
6598b3aec9f6eee55295e7823cd8479b657827ec

SHA256
363d46e081d59c02e5694da2fdd2b5a9d72b7c2ace531d262d7c636e0f21f90e

SHA512
4d9dc2a90338e7d0f5a30c31687b5a92788123376db4a0dfec9611eef7f226e1cb37a6627cda0876015fe59b5077a02f4334bac8969babaa320510868ed90f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1097.tmp\netadll.dll

Filesize
1.7MB

MD5
d64189eac7a7fb8e982b9fc0c9a15c62

SHA1
583381fc2bb5c01c7fed8cdeb1ef09f3f26a1ffc

SHA256
179ffea6968d753a2160498c7de4dbf0c62c155424ba2c06c19dcf49b4073283

SHA512
4ce704db3437ec4689016ea6d65aea420defbd31900017c04ce0cd6d75d9c2f3fd831d0389ddfef6bce78205c650c0aadcb93dec5fb50d1cebd7cba7bc4e9008

Download Submit
\Users\Admin\AppData\Local\Temp\nst1097.tmp\IpConfig.dll

Filesize
621KB

MD5
2419181d395587973220f2a9920db3bc

SHA1
6598b3aec9f6eee55295e7823cd8479b657827ec

SHA256
363d46e081d59c02e5694da2fdd2b5a9d72b7c2ace531d262d7c636e0f21f90e

SHA512
4d9dc2a90338e7d0f5a30c31687b5a92788123376db4a0dfec9611eef7f226e1cb37a6627cda0876015fe59b5077a02f4334bac8969babaa320510868ed90f7c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1097.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nst1097.tmp\netadll.dll

Filesize
1.7MB

MD5
d64189eac7a7fb8e982b9fc0c9a15c62

SHA1
583381fc2bb5c01c7fed8cdeb1ef09f3f26a1ffc

SHA256
179ffea6968d753a2160498c7de4dbf0c62c155424ba2c06c19dcf49b4073283

SHA512
4ce704db3437ec4689016ea6d65aea420defbd31900017c04ce0cd6d75d9c2f3fd831d0389ddfef6bce78205c650c0aadcb93dec5fb50d1cebd7cba7bc4e9008

Download Submit
\Users\Admin\AppData\Local\Temp\nst1097.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
\Users\Admin\AppData\Local\Temp\nst1097.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/920-69-0x0000000000590000-0x00000000005D1000-memory.dmp

Filesize
260KB

Download
memory/920-74-0x0000000010000000-0x00000000100E6000-memory.dmp

Filesize
920KB

Download