59d997be99a32c7645fbcc9422428469b77b9b1a575cf470c4588394c21f438e

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05-08-2023 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

artmoneypro737eng.exe
Size

1.6MB
MD5

f172baa76fe27fb7a98989eeacdec9f5
SHA1

103274066e5f407326b579c2ccba29475c144686
SHA256

59d997be99a32c7645fbcc9422428469b77b9b1a575cf470c4588394c21f438e
SHA512

e7444bc1a1d402a9734aa121f56d5309d267225c02bb00c9418974b2b8cefde11df587da77945fbc27f6b63e6a442775a0250d1a34703b9e3b01281228988fe2
SSDEEP

49152:k2jdzJpKp/TUUxf7zROAELO0Gq/aObPh/W6+u2P2yHRvgt:pjfaTth7IAEipLiPh/W6lA2t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
276	artmoneypro737eng.tmp

Loads dropped DLL 3 IoCs

pid	Process
788	artmoneypro737eng.exe
276	artmoneypro737eng.tmp
276	artmoneypro737eng.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
276	artmoneypro737eng.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28
PID 788 wrote to memory of 276	788	artmoneypro737eng.exe	28

C:\Users\Admin\AppData\Local\Temp\artmoneypro737eng.exe
"C:\Users\Admin\AppData\Local\Temp\artmoneypro737eng.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\is-DKKTN.tmp\artmoneypro737eng.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DKKTN.tmp\artmoneypro737eng.tmp" /SL5="$80124,1456563,50688,C:\Users\Admin\AppData\Local\Temp\artmoneypro737eng.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DKKTN.tmp\artmoneypro737eng.tmp

Filesize
666KB

MD5
385aa258a917e2085d16b8477fe7685a

SHA1
897d73efffd1c3601cdb4db4d0b747fdaf1b39f2

SHA256
5fc2a69c35f5ef706807d20f570bfaf04f03173d50391fe3210d3a46b554cd41

SHA512
a244c2beebcffae1cde9c7dc3089a98d8414512a6369f25190e3e869f37a9e87278eb790142fd9f2b998b431d80bcb7071d1fb28eba6e96980908ee9ecd867d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DKKTN.tmp\artmoneypro737eng.tmp

Filesize
666KB

MD5
385aa258a917e2085d16b8477fe7685a

SHA1
897d73efffd1c3601cdb4db4d0b747fdaf1b39f2

SHA256
5fc2a69c35f5ef706807d20f570bfaf04f03173d50391fe3210d3a46b554cd41

SHA512
a244c2beebcffae1cde9c7dc3089a98d8414512a6369f25190e3e869f37a9e87278eb790142fd9f2b998b431d80bcb7071d1fb28eba6e96980908ee9ecd867d4

Download Submit
\Users\Admin\AppData\Local\Temp\is-DKKTN.tmp\artmoneypro737eng.tmp

Filesize
666KB

MD5
385aa258a917e2085d16b8477fe7685a

SHA1
897d73efffd1c3601cdb4db4d0b747fdaf1b39f2

SHA256
5fc2a69c35f5ef706807d20f570bfaf04f03173d50391fe3210d3a46b554cd41

SHA512
a244c2beebcffae1cde9c7dc3089a98d8414512a6369f25190e3e869f37a9e87278eb790142fd9f2b998b431d80bcb7071d1fb28eba6e96980908ee9ecd867d4

Download Submit
\Users\Admin\AppData\Local\Temp\is-RFTP7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RFTP7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/276-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/276-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/276-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/788-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/788-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/788-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download