d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe
Size

14.0MB
MD5

093a86e60c1bf0e2f26feebb08928972
SHA1

efe56a936be941d0941894f21febc1c34ebcebdc
SHA256

d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022
SHA512

e61c1e42aebfde7c94d9b4aa3a4c01b2adde76a51f02af99ce2f11fab86dd214dc2d1494888d34bcbf81850e866580bdb3359a01740d8ac72ed428fe0ac7b06e
SSDEEP

393216:Z0EWu+JlmUh0WC5saZdOf2p84t7of1fDLE1f:JL+Hxhyn2fq1f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3948	d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3948	3192	d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe	87
PID 3192 wrote to memory of 3948	3192	d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe	87
PID 3192 wrote to memory of 3948	3192	d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe	87

C:\Users\Admin\AppData\Local\Temp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe
"C:\Users\Admin\AppData\Local\Temp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\is-4458F.tmp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4458F.tmp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe.tmp" /SL5="$D0052,14297793,51200,C:\Users\Admin\AppData\Local\Temp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe"
  2⤵
  - Executes dropped EXE
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4458F.tmp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe.tmp

Filesize
654KB

MD5
0a2b40aef3317b345957b3323f055256

SHA1
c5c1e6dedd666e7f08e0092c18ac861b76b1b689

SHA256
c9f440be6dfc340af9eb28f67896ba1c002a7464d5024ddd6f2c72312bd64ece

SHA512
80b121bef8430ba05ec0fa1357e27a0523bba9f3ce41097ee41584342ea7b005a060e8039d74b1f940999890450162f0be6d2371ee3ba4c511ca6ca7dba7edaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4458F.tmp\d7c8074ad199d8b1b9d28fb8c53d40af1b1e96306c6288345dc60a084d1eb022.exe.tmp

Filesize
654KB

MD5
0a2b40aef3317b345957b3323f055256

SHA1
c5c1e6dedd666e7f08e0092c18ac861b76b1b689

SHA256
c9f440be6dfc340af9eb28f67896ba1c002a7464d5024ddd6f2c72312bd64ece

SHA512
80b121bef8430ba05ec0fa1357e27a0523bba9f3ce41097ee41584342ea7b005a060e8039d74b1f940999890450162f0be6d2371ee3ba4c511ca6ca7dba7edaa

Download Submit
memory/3192-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3192-145-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3948-144-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3948-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download