cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe
Size

2.5MB
MD5

7d7dc9605abb03a2c0b598797926d1ba
SHA1

6744c5a8ee9d2be8c750f2b95661d2aa9e54e26d
SHA256

cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639
SHA512

a0ab3eff13a8671de6dd86ba60d7b12f84fd3ed94c08a4023219023f8aadc25259c38b53b0473223a500a77f43989e20c06266cd23f94a8c0e8f4133354f4720
SSDEEP

49152:8cbi6c/dgkp0TXw58MWzl3r8yjMCQyr3DpaJ7Vxpmd2l38z4aF:8cbK1AI8BZ7jMCQA3DpaJ7/L+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2404	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28
PID 2924 wrote to memory of 2404	2924	cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe	28

C:\Users\Admin\AppData\Local\Temp\cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe
"C:\Users\Admin\AppData\Local\Temp\cc3cf05869bb2d5c82c3c9ebc92853d4125dfe01199bead4efaea035a0d4d639.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /S nfHCJ.w -u
  2⤵
  - Loads dropped DLL
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nfHCJ.w

Filesize
2.3MB

MD5
a5732b1cb868c07c385faece285eff67

SHA1
6160b20d4cbb3708009598df637b6556f1df8ba6

SHA256
f89acc22c624b75318f62f18ddc27a20ffb35eeb90c1f0fd176193c82c6f5718

SHA512
20a67934191c53793b9a21b61cd2a5fd62bf8ba1164998e171e35e5f3fa3d69c2b885cc30cd7f716c74c39cf7dbd6195c69bbd4cdb6b798f7d92fab29c9cc346

Download Submit
\Users\Admin\AppData\Local\Temp\nfhcJ.w

Filesize
2.3MB

MD5
a5732b1cb868c07c385faece285eff67

SHA1
6160b20d4cbb3708009598df637b6556f1df8ba6

SHA256
f89acc22c624b75318f62f18ddc27a20ffb35eeb90c1f0fd176193c82c6f5718

SHA512
20a67934191c53793b9a21b61cd2a5fd62bf8ba1164998e171e35e5f3fa3d69c2b885cc30cd7f716c74c39cf7dbd6195c69bbd4cdb6b798f7d92fab29c9cc346

Download Submit
memory/2404-58-0x0000000001FF0000-0x0000000002234000-memory.dmp

Filesize
2.3MB

Download
memory/2404-59-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2404-60-0x0000000001FF0000-0x0000000002234000-memory.dmp

Filesize
2.3MB

Download
memory/2404-62-0x0000000002590000-0x0000000002687000-memory.dmp

Filesize
988KB

Download
memory/2404-63-0x0000000002690000-0x000000000276E000-memory.dmp

Filesize
888KB

Download
memory/2404-66-0x0000000002690000-0x000000000276E000-memory.dmp

Filesize
888KB

Download
memory/2404-67-0x0000000002690000-0x000000000276E000-memory.dmp

Filesize
888KB

Download