b3ed1b750bdbdf38732aa17e7de7cdc0518558c7dff51dc45ecf5f72a3972d6a

Analysis

max time kernel
87s
max time network
35s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data64_6.exe
Size

1.8MB
MD5

c0c9fb5cf2f19dacb8d80f29beb18815
SHA1

1cfc351c55d38a27bb1f34f0eefed8165afb9162
SHA256

b3ed1b750bdbdf38732aa17e7de7cdc0518558c7dff51dc45ecf5f72a3972d6a
SHA512

5cc1af2343d35222bbaca28a0673099b7ca2cd335b51fd3598fe0652e2ad952abd26cc88723331c0a1a8f977105d895ab42496f8ab762381f25638b97a77d836
SSDEEP

49152:oeZB+BfJXAE2OnOxTOclrasU+dwXcQxbrpK2CEIhOdJPqEnC:oeZB+BfKERnIO+/dwRQ0UcC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1764	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27
PID 1488 wrote to memory of 1764	1488	data64_6.exe	27

C:\Users\Admin\AppData\Local\Temp\data64_6.exe
"C:\Users\Admin\AppData\Local\Temp\data64_6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S .\0CTK.CjN /U
  2⤵
  - Loads dropped DLL
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0CTK.CjN

Filesize
1.7MB

MD5
42e8ef10eca9e813231b17dd1c21bae8

SHA1
1459f5c252bef131238c74c1d95d90f7fbde5fd8

SHA256
3f2cf926c6f45e6c1c8a7b5884124f0c4aec9e316ee55f462f113bb0f54d4b07

SHA512
b66f46a4af7cd8737dd785734290b42cf0d60d42217fcf185b668340ef90feb9cb53a71475495a4ac24ab78ca026415a1d7484e2f0aa68049fe6886b9df3210d

Download Submit
\Users\Admin\AppData\Local\Temp\0cTk.CjN

Filesize
1.7MB

MD5
42e8ef10eca9e813231b17dd1c21bae8

SHA1
1459f5c252bef131238c74c1d95d90f7fbde5fd8

SHA256
3f2cf926c6f45e6c1c8a7b5884124f0c4aec9e316ee55f462f113bb0f54d4b07

SHA512
b66f46a4af7cd8737dd785734290b42cf0d60d42217fcf185b668340ef90feb9cb53a71475495a4ac24ab78ca026415a1d7484e2f0aa68049fe6886b9df3210d

Download Submit
memory/1764-58-0x0000000000A80000-0x0000000000C34000-memory.dmp

Filesize
1.7MB

Download
memory/1764-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1764-60-0x0000000002FA0000-0x00000000030C1000-memory.dmp

Filesize
1.1MB

Download
memory/1764-61-0x00000000031F0000-0x0000000003311000-memory.dmp

Filesize
1.1MB

Download
memory/1764-62-0x0000000000A80000-0x0000000000C34000-memory.dmp

Filesize
1.7MB

Download
memory/1764-66-0x0000000003320000-0x00000000033E1000-memory.dmp

Filesize
772KB

Download
memory/1764-67-0x0000000002450000-0x00000000024FC000-memory.dmp

Filesize
688KB

Download
memory/1764-70-0x0000000002450000-0x00000000024FC000-memory.dmp

Filesize
688KB

Download
memory/1764-71-0x0000000002450000-0x00000000024FC000-memory.dmp

Filesize
688KB

Download
memory/1764-73-0x00000000031F0000-0x0000000003311000-memory.dmp

Filesize
1.1MB

Download