9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-05-2023 07:14

Target

72f99c537d61d38a113e121348cce0dd.exe
Size

248KB
MD5

72f99c537d61d38a113e121348cce0dd
SHA1

cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705
SHA256

9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
SHA512

7a718c91246ff0192670dbc377c1b7dc9c96049b33145df28ab2cbaa6ac26c64decb43926b5523c6de327416faf4ad234096e090dffcc18e6bc8bc384b04476e
SSDEEP

6144:/Ya69yR2Ibj4TC/aVucDdIM5qdwQ7jsXyZzCuBI0V7DI:/YvyR3CqaocdrodB4iJCaI0V/I

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1048	72f99c537d61d38a113e121348cce0dd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
280	72f99c537d61d38a113e121348cce0dd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1048	72f99c537d61d38a113e121348cce0dd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28
PID 1048 wrote to memory of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28
PID 1048 wrote to memory of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28
PID 1048 wrote to memory of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28
PID 1048 wrote to memory of 280	1048	72f99c537d61d38a113e121348cce0dd.exe	28

C:\Users\Admin\AppData\Local\Temp\72f99c537d61d38a113e121348cce0dd.exe
"C:\Users\Admin\AppData\Local\Temp\72f99c537d61d38a113e121348cce0dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\72f99c537d61d38a113e121348cce0dd.exe
  "C:\Users\Admin\AppData\Local\Temp\72f99c537d61d38a113e121348cce0dd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:280

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\jeribpxso.dll

Filesize
4KB

MD5
4ec0a8f45268658f197152b62a049bf6

SHA1
f5fef07216ac47f9d136f5b7bc7399623e3c1005

SHA256
f3595256f922b81a60ab51da9a6432f0001ef03902574c05d7ea06b87c83dd51

SHA512
1d1d623570733546f9e0bd5e569b34c91a303fd2dca2af029b286d3924928112ebf1a4a5e93d593d8149db8e8be3e735b4388cdb286f24ca4f56a5ba5bcf4e7e

Download Submit
memory/280-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/280-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/280-64-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download