00067420b54fdefba5d318fd79b503104b34df26e7c145c205e6ee9831470cfc

General

Target

documento.url
Size

196B
MD5

8ae8e3e7e084d65f38a212d6547ebafb
SHA1

e42593279c0a27667326435870d64da6fe8517f7
SHA256

00067420b54fdefba5d318fd79b503104b34df26e7c145c205e6ee9831470cfc
SHA512

2d5b51ea60d70449962db208730c7d58ff0e9d36920ca6a964d429d46aa482bb8b7c204c09ae2c7ec57eed9c82210d84d1c163d818be888c3a7444964a0ca4b7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	msdt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2276	2084	rundll32.exe	29
PID 2084 wrote to memory of 2276	2084	rundll32.exe	29
PID 2084 wrote to memory of 2276	2084	rundll32.exe	29
PID 2276 wrote to memory of 2188	2276	rundll32.exe	30
PID 2276 wrote to memory of 2188	2276	rundll32.exe	30
PID 2276 wrote to memory of 2188	2276	rundll32.exe	30

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\documento.url
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF6836.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF6836.tmp -ep NetworkDiagnosticsSharing
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2188

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023070507.000\NetworkDiagnostics.0.debugreport.xml

Filesize
64KB

MD5
a0e1ea0e552f22dc22b063d1ec265d4c

SHA1
8a0a77b7ea085181fcef37268261c71f5e779708

SHA256
adbc22fc61bc23981dca65f83296205a37a12e76892c22d1ef3f3a9419fe4138

SHA512
4ad04daf73aac94ab70935fb6cf2a8d2ed223d2031f676273b82f376c1bf4f384e2e389dd47430cbb62e7eb3b147bc1a96c50cf46e9a0e303b6a57a71f617180

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF6836.tmp

Filesize
2KB

MD5
4c8dc11a8381a62883a77274c51e00af

SHA1
8fa7564e0c044d28afb03765769093efe51e9339

SHA256
e81832461872e410845a41020671b4cdc0e865a7271a80c72523954aad13db81

SHA512
3be66eea64890e58bfb43dfeeaa96e090f57c7dec62a4cf40db828fdcf69a8dd7e66e80a3f2ff3b2fab21f32cea94ed89c6cfbabf018d837b131f56fc8adc36c

Download Submit
C:\Windows\TEMP\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_03c7ccf4-1831-4a35-b176-61192b125fe9\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/1588-412-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/1588-417-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2084-54-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2188-411-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing