ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b19e3c2a84adc5cb0e8246430cd289fa.exe
Size

2.7MB
MD5

b19e3c2a84adc5cb0e8246430cd289fa
SHA1

b0736c9c4dc2d1013f3794a604efa965b1cd0cb4
SHA256

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd
SHA512

20cacd684b73d64ec36b9fe1ca6d197c374ab832d079d7756b50f6ef11dba0348bcd6088e2c987dc89f689e1919a4942848d0b3936898c715bbcd8da25438e29
SSDEEP

49152:mDkUrjrxRvdRVQioFIG5Ethdc2tg9eLJshFttFRMHWJDyxgTF1:m4UT4FRuUss/t1iQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2888	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28
PID 2676 wrote to memory of 2888	2676	b19e3c2a84adc5cb0e8246430cd289fa.exe	28

C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe
"C:\Users\Admin\AppData\Local\Temp\b19e3c2a84adc5cb0e8246430cd289fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S A1Unza.I9E /u
  2⤵
  - Loads dropped DLL
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1Unza.I9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
\Users\Admin\AppData\Local\Temp\A1unza.i9E

Filesize
2.6MB

MD5
3d2d034ee85ad8f4c805a12a7bb54e92

SHA1
9ccff644f48923eb085b6147d0e33380dd6d3312

SHA256
4c9133694686d67bcfebb2fceb8253de4c2abfd5e6e9b36e3948a7a1ce688760

SHA512
5786df03cc283f832b3670f7669a0d02be8c15b0e761ec158847f7788b07ac8d4332be0e57924dab687a5448a53a9587aaf630b41f42d21754d98c9156488bbc

Download Submit
memory/2888-4-0x0000000001F70000-0x0000000002206000-memory.dmp

Filesize
2.6MB

Download
memory/2888-5-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2888-6-0x0000000001F70000-0x0000000002206000-memory.dmp

Filesize
2.6MB

Download
memory/2888-10-0x0000000002670000-0x0000000002771000-memory.dmp

Filesize
1.0MB

Download
memory/2888-11-0x0000000002780000-0x0000000002867000-memory.dmp

Filesize
924KB

Download
memory/2888-14-0x0000000002780000-0x0000000002867000-memory.dmp

Filesize
924KB

Download
memory/2888-15-0x0000000002780000-0x0000000002867000-memory.dmp

Filesize
924KB

Download