35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe
Size

275KB
MD5

92c4b1f89a4d4541fd0311154061b21b
SHA1

0fbf5715d6ee028f79defb423cee1acefdbe8436
SHA256

35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027
SHA512

c768e6e7d3c58e709b7f936c5b7fe19e6a7925451f1f8eda2bf3b4d77e56d6a6c3de154b74a449ea7b44d8d190b839db4b7f77c6ea34e4fbff191ab36d79b39f
SSDEEP

3072:e1NjcVVnLpPuJkrcD7pTZ4aF0jtIhXs5/+EA3nb13V5Ps5PLnJfRgFCUgiDlrs4d:mNeZDwfpT63mEa1bQJgrUTkKIoYRegq8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	Un_A.exe

Loads dropped DLL 3 IoCs

pid	Process
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe
2916	Un_A.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2916	3988	35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe	83
PID 3988 wrote to memory of 2916	3988	35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe	83
PID 3988 wrote to memory of 2916	3988	35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe	83
PID 2916 wrote to memory of 4984	2916	Un_A.exe	89
PID 2916 wrote to memory of 4984	2916	Un_A.exe	89
PID 2916 wrote to memory of 4984	2916	Un_A.exe	89

C:\Users\Admin\AppData\Local\Temp\35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe
"C:\Users\Admin\AppData\Local\Temp\35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\TutkSource.dll"
    3⤵
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy9AF9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy9AF9.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy9AF9.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy9AF9.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
275KB

MD5
92c4b1f89a4d4541fd0311154061b21b

SHA1
0fbf5715d6ee028f79defb423cee1acefdbe8436

SHA256
35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027

SHA512
c768e6e7d3c58e709b7f936c5b7fe19e6a7925451f1f8eda2bf3b4d77e56d6a6c3de154b74a449ea7b44d8d190b839db4b7f77c6ea34e4fbff191ab36d79b39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
275KB

MD5
92c4b1f89a4d4541fd0311154061b21b

SHA1
0fbf5715d6ee028f79defb423cee1acefdbe8436

SHA256
35df01c856119d78e71e2a047fffc44dbe47c35d21fbbd31fea830dca44be027

SHA512
c768e6e7d3c58e709b7f936c5b7fe19e6a7925451f1f8eda2bf3b4d77e56d6a6c3de154b74a449ea7b44d8d190b839db4b7f77c6ea34e4fbff191ab36d79b39f

Download Submit