34650d70d65d7c22d59406b537e7300b345510d3829e22ca400ac23e9cebff1f

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23-08-2023 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

description	pid	Process	procid_target
PID 2220 created 1140	2220	1.exe	16
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1140	2220	1.exe	16
PID 2220 created 1140	2220	1.exe	16
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1140	2220	1.exe	16
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1476	2220	1.exe	13
PID 2220 created 1244	2220	1.exe	9
PID 2220 created 1476	2220	1.exe	13
PID 2220 created 1140	2220	1.exe	16
PID 1076 created 1244	1076	AcroRd32.exe	9

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kaaccbe.lnk	AcroRd32.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	Advanced_IP_Scanner_2.5.4594.1.exe
2556	Advanced_IP_Scanner_2.5.4594.1.tmp

Loads dropped DLL 8 IoCs

pid	Process
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1980	Advanced_IP_Scanner_2.5.4594.1.exe
2556	Advanced_IP_Scanner_2.5.4594.1.tmp
2556	Advanced_IP_Scanner_2.5.4594.1.tmp
2556	Advanced_IP_Scanner_2.5.4594.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
2220	1.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1592	mip.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28
PID 2220 wrote to memory of 1076	2220	1.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244
- C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe
  "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1476

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\is-TR3R5.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TR3R5.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp" /SL5="$201EE,20439558,139776,C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2556

C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe 1.au3
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abcccff\ebdhhad\kfdchfg

Filesize
133B

MD5
a8df23f70400ccda098009f22aac3ce2

SHA1
54165094982abfc7996043a62daf95290e400663

SHA256
96e8025855b6b3dce7005fb8cf89090121eefecc4bc8a6047261b311f9fa643e

SHA512
61cd2f4b75277af787485b06bde7e2c06174db76d71f081e74b6e5b7ad48b4952ef1c3b9fd57b11d0bbf0f71841cc64cd2ec478b8a5571f7712b100ad727a0ad

Download Submit
C:\ProgramData\abcccff\ebdhhad\kfdchfg

Filesize
133B

MD5
8f1837791a985aaf37c2d9686210dbcb

SHA1
0fda366932d76b3bc684b5bd5de462f370f99f02

SHA256
8646f926db6d4adb6a9a939013d2b141d0fcce081195c9d09ecda37ad1e38076

SHA512
743b04e729d9a82b7e2f4e6bc1b3199e4a5e13ebd433343ad3c34ab24de32c8fdc45637a2396ed668b6f0d71ba726ad7dadb7353f46b518a521c046ea39a7132

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TR3R5.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp

Filesize
1.1MB

MD5
b87639f9a6cf5ba8c9e1f297c5745a67

SHA1
ce4758849b53af582d2d8a1bc0db20683e139fcc

SHA256
ec8252a333f68865160e26dc95607f2c49af00f78c657f7f8417ab9d86e90bf7

SHA512
9626fc4aa4604eee7ededa62b9dc78a3f6fe388eaf1fa6c916a3715b0dff65c417eede156d82398c2400977a36457122565e15e0ed0e435b28cb9f796005c1c0

Download Submit
\??\c:\temp\eegfafa.au3

Filesize
784KB

MD5
855603284271a6ae0959ab22fb097423

SHA1
11b319ab7681b49aadc00f9171219c9daaef740c

SHA256
6443baf58b483fe9c4885ee29ab4ca9c2517742b7fcd7d7320651fd6e45682c0

SHA512
bf4d9a1078a4827e5756f45c976e358c551c179c089896c6afdb4373a98b0d44b9f89adc6fe2f41090c3a5fc0d7cc9284f64cba1dbb9a5f904bfc6c221e56c4b

Download Submit
\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
\Users\Admin\AppData\Local\Temp\Advanced_IP_Scanner_2.5.4594.1.exe

Filesize
20.1MB

MD5
5537c708edb9a2c21f88e34e8a0f1744

SHA1
86233a285363c2a6863bf642deab7e20f062b8eb

SHA256
26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b

SHA512
35f44c0df4635a1020f52743d7cf3e4346d1bdf9010161326e572250ac93e0285b202532a07d2db8dbc67f6f0ced864083769e904bd5d82611244339ca8d31a1

Download Submit
\Users\Admin\AppData\Local\Temp\is-PC596.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PC596.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PC596.tmp\aips_is_install_dll.dll

Filesize
149KB

MD5
57e73855fad786a59893d6581e9fb5b9

SHA1
630e52b9e88a05add68401bd62790ed8e2c3282a

SHA256
3a7a8aa906c65124c4ee82aacb81d723ce69864ccaf041f631b8131de59e4a88

SHA512
be0cf0925535dd667488175f2eac660d1ebf8429ce6725252c59fb70b00fc2f21b1e0b7ce632eaa53337ae25e44c641e13a3df0b415724498d30daf00b296f4d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TR3R5.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp

Filesize
1.1MB

MD5
b87639f9a6cf5ba8c9e1f297c5745a67

SHA1
ce4758849b53af582d2d8a1bc0db20683e139fcc

SHA256
ec8252a333f68865160e26dc95607f2c49af00f78c657f7f8417ab9d86e90bf7

SHA512
9626fc4aa4604eee7ededa62b9dc78a3f6fe388eaf1fa6c916a3715b0dff65c417eede156d82398c2400977a36457122565e15e0ed0e435b28cb9f796005c1c0

Download Submit
memory/1076-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1076-651-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/1076-612-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/1076-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1592-1255-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/1592-1261-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/1592-631-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1592-629-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1980-1278-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1980-1289-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-1-0x0000000000A30000-0x0000000000E30000-memory.dmp

Filesize
4.0MB

Download
memory/2220-613-0x0000000003210000-0x00000000033EC000-memory.dmp

Filesize
1.9MB

Download
memory/2220-24-0x0000000003210000-0x00000000033EC000-memory.dmp

Filesize
1.9MB

Download
memory/2220-19-0x0000000000A30000-0x0000000000E30000-memory.dmp

Filesize
4.0MB

Download
memory/2220-6-0x0000000003210000-0x00000000033EC000-memory.dmp

Filesize
1.9MB

Download
memory/2220-3-0x0000000003210000-0x00000000033EC000-memory.dmp

Filesize
1.9MB

Download
memory/2220-2-0x00000000029E0000-0x0000000002AD5000-memory.dmp

Filesize
980KB

Download
memory/2556-1287-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2556-1291-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download