c6c7b90125551ab23a46f82f853d835d676f37900fc7013a5257e54cd68bd641

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume1/Users/RinuThomas/Documents/Rkays office/PAAET/transas 01-2013 mfc & tgs/david.exe
Size

5.0MB
MD5

0b7e91f3b41138cb3f2d64e9c5024702
SHA1

d34428a3ff632e34d9566287622992c7778a3d49
SHA256

5740a5edda2855db3296990067b808ce7dbf39b781865a3066d6d79d53eed4b5
SHA512

89e5a20ef5e64c009889b2e511d04403ba19597f0a9ae5d7cfaeaeee6fbf261240a9363a968294ab02beed6f9ee729a8ce762af101574bad00fd6f0f509f9052
SSDEEP

98304:wXGCsAPew+X9v0rJO51Iu22Zl0DZoWJ3ti6xPCptk/Eyr+:wXGChPeHaJomZcKDZoWJdCpcr+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3684	david.tmp

Loads dropped DLL 2 IoCs

pid	Process
3684	david.tmp
1848	RunDll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe
1848	RunDll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3684	2744	david.exe	80
PID 2744 wrote to memory of 3684	2744	david.exe	80
PID 2744 wrote to memory of 3684	2744	david.exe	80
PID 3684 wrote to memory of 1848	3684	david.tmp	81
PID 3684 wrote to memory of 1848	3684	david.tmp	81
PID 3684 wrote to memory of 1848	3684	david.tmp	81

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\is-NLO29.tmp\david.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NLO29.tmp\david.tmp" /SL5="$60148,4556773,525312,C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-J6F95.tmp\OCSetupHlp.dll",_OCPRD708OpenCandy2@16 3684
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-J6F95.tmp\OCSetupHlp.dll

Filesize
763KB

MD5
bc7a21bce0f0083e6dbea93d2012f5ce

SHA1
acf31a1642420a2d8abf33d37f0309df283e1004

SHA256
661e38014fcac18543ce5b39454428a1e0439a70cc03c3819ce8f2d4975274b3

SHA512
3da0e05c1bf427de0392bee887317b54d232306fd2833eb84b9a405daab6b2393fec47a4ce96132a27e290575450ceee73a2441875044bd813493c2beefd7ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J6F95.tmp\OCSetupHlp.dll

Filesize
763KB

MD5
bc7a21bce0f0083e6dbea93d2012f5ce

SHA1
acf31a1642420a2d8abf33d37f0309df283e1004

SHA256
661e38014fcac18543ce5b39454428a1e0439a70cc03c3819ce8f2d4975274b3

SHA512
3da0e05c1bf427de0392bee887317b54d232306fd2833eb84b9a405daab6b2393fec47a4ce96132a27e290575450ceee73a2441875044bd813493c2beefd7ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J6F95.tmp\OCSetupHlp.dll

Filesize
763KB

MD5
bc7a21bce0f0083e6dbea93d2012f5ce

SHA1
acf31a1642420a2d8abf33d37f0309df283e1004

SHA256
661e38014fcac18543ce5b39454428a1e0439a70cc03c3819ce8f2d4975274b3

SHA512
3da0e05c1bf427de0392bee887317b54d232306fd2833eb84b9a405daab6b2393fec47a4ce96132a27e290575450ceee73a2441875044bd813493c2beefd7ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLO29.tmp\david.tmp

Filesize
1.5MB

MD5
60176f68fe54e7bf1768b661a997dca7

SHA1
4d818defc0f8f7a4e04edf8d883105405b24f15b

SHA256
3a411d770671ae1ac2fa430ce954ea3f9c907a0ca0e60b674c63dcf6f78b1659

SHA512
23e93ad386c4d09a9001fa33d9b65fb206d232e95cb32c6e4d3446b5434bff0ede93894d9ec3562585015c373e1c15d8a4fe4d827ae0f9197bed7fb6c4595c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NLO29.tmp\david.tmp

Filesize
1.5MB

MD5
60176f68fe54e7bf1768b661a997dca7

SHA1
4d818defc0f8f7a4e04edf8d883105405b24f15b

SHA256
3a411d770671ae1ac2fa430ce954ea3f9c907a0ca0e60b674c63dcf6f78b1659

SHA512
23e93ad386c4d09a9001fa33d9b65fb206d232e95cb32c6e4d3446b5434bff0ede93894d9ec3562585015c373e1c15d8a4fe4d827ae0f9197bed7fb6c4595c0d

Download Submit
memory/1848-24-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1848-19-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2744-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2744-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3684-7-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3684-23-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3684-22-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/3684-26-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download