4256abb5b5583aeb5c61937415555657a5ae3b76fcc59657edfcb3bce792f958

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2023 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hdtune_255.exe
Size

627KB
MD5

088812a121e0a9ceb40ce9c808c8a90c
SHA1

08ae99e095a68036fff9bdc89229e78a6393ae6d
SHA256

4256abb5b5583aeb5c61937415555657a5ae3b76fcc59657edfcb3bce792f958
SHA512

c25caebc1bcb2b1a9be42fb6cce1aba0d7d929b53be1f50dbc4ce5c9e8b1b2b3a09affee5b683abfff4b4ae0c8fbf193ce7d69a755e1e6d7b9e6a339b6c8790b
SSDEEP

12288:ymkOy//gnG9b7IiVjtThhnwT4f2BQopW3FBi2xrg8lvsOqH2gOlh:yfOyXiE7Y853e+t/gOL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3084	is-DJIG8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3084	3080	hdtune_255.exe	83
PID 3080 wrote to memory of 3084	3080	hdtune_255.exe	83
PID 3080 wrote to memory of 3084	3080	hdtune_255.exe	83

C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe
"C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\is-F0OIC.tmp\is-DJIG8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F0OIC.tmp\is-DJIG8.tmp" /SL4 $1B0022 "C:\Users\Admin\AppData\Local\Temp\hdtune_255.exe" 406234 52224
  2⤵
  - Executes dropped EXE
  PID:3084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F0OIC.tmp\is-DJIG8.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F0OIC.tmp\is-DJIG8.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
memory/3080-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3080-145-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3084-144-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3084-146-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download