cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/07/2023, 08:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe
Size

272KB
MD5

98560ac66abb8cd49d392a94bdd3f800
SHA1

536252aac2c6c5af30d875d68faca5e7ec29fb58
SHA256

cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a
SHA512

e029bd4a147f9de064790003bdbf6d4528e124bc84936d41e97bdc75123c950dfa5e516c6ce1aafeaf53d2693245ec5f301a4b6bff39164b2b88a99915866da3
SSDEEP

6144:qmuKwDfd8qa+7yfxuhCtzV3eL+kxxODGrRWjH:DtefDOtzN+ZjO6rw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	Un_A.exe

Loads dropped DLL 3 IoCs

pid	Process
1600	cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe
2672	Un_A.exe
2672	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2672	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2672	1600	cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe	28
PID 1600 wrote to memory of 2672	1600	cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe	28
PID 1600 wrote to memory of 2672	1600	cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe	28
PID 1600 wrote to memory of 2672	1600	cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe	28

C:\Users\Admin\AppData\Local\Temp\cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe
"C:\Users\Admin\AppData\Local\Temp\cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdB980.tmp\KillProcDLL.dll

Filesize
36KB

MD5
1cc87d2b5a79b18f133b4f944e2f2f74

SHA1
98e0ddb727c76e06be1668434d754e5b80a0c154

SHA256
de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed

SHA512
d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB980.tmp\StdUtils.dll

Filesize
98KB

MD5
b7f044787bb5a0c1eb43907c061c1ac0

SHA1
84675f05e0e406482a688c61e0dee35b9a8fb390

SHA256
4787e95796035dda92a6cbff56ffddde5ace96f5e46f0f40d2998189ccd6e7ce

SHA512
7f0ebc15ee74050a8b493f2c944fc6551056efedde60193be76d4115d28b10f06cc9a859cb42135deee56d614d2ca90e432627f30432d303320dd41fc7fcde6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
272KB

MD5
98560ac66abb8cd49d392a94bdd3f800

SHA1
536252aac2c6c5af30d875d68faca5e7ec29fb58

SHA256
cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a

SHA512
e029bd4a147f9de064790003bdbf6d4528e124bc84936d41e97bdc75123c950dfa5e516c6ce1aafeaf53d2693245ec5f301a4b6bff39164b2b88a99915866da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
272KB

MD5
98560ac66abb8cd49d392a94bdd3f800

SHA1
536252aac2c6c5af30d875d68faca5e7ec29fb58

SHA256
cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a

SHA512
e029bd4a147f9de064790003bdbf6d4528e124bc84936d41e97bdc75123c950dfa5e516c6ce1aafeaf53d2693245ec5f301a4b6bff39164b2b88a99915866da3

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB980.tmp\KillProcDLL.dll

Filesize
36KB

MD5
1cc87d2b5a79b18f133b4f944e2f2f74

SHA1
98e0ddb727c76e06be1668434d754e5b80a0c154

SHA256
de1177a4bd1c56c3555f366d40b37d7dd9cb25e16c4973d0a4d22bf9a8af7aed

SHA512
d8fee1c09fef9af4e1f38baaffa3a6d059713b14ecad900815c086cc22855644fcdeacd6bba31ea6e6925831e650f7b0d34e6dea4c57a978fb4f5bf0cd6d72a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB980.tmp\StdUtils.dll

Filesize
98KB

MD5
b7f044787bb5a0c1eb43907c061c1ac0

SHA1
84675f05e0e406482a688c61e0dee35b9a8fb390

SHA256
4787e95796035dda92a6cbff56ffddde5ace96f5e46f0f40d2998189ccd6e7ce

SHA512
7f0ebc15ee74050a8b493f2c944fc6551056efedde60193be76d4115d28b10f06cc9a859cb42135deee56d614d2ca90e432627f30432d303320dd41fc7fcde6f

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
272KB

MD5
98560ac66abb8cd49d392a94bdd3f800

SHA1
536252aac2c6c5af30d875d68faca5e7ec29fb58

SHA256
cf46fce43b4932f468c7486db629642b6db73d6abff2fbd3e3dae5852c0a6c4a

SHA512
e029bd4a147f9de064790003bdbf6d4528e124bc84936d41e97bdc75123c950dfa5e516c6ce1aafeaf53d2693245ec5f301a4b6bff39164b2b88a99915866da3

Download Submit