1658885122dedc5e759867f51d8147347fa34210dfdbb5a8a93bd06121d04a56

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

14.7MB
MD5

3a225ee4923afdb59cfa5c3e46a82f98
SHA1

425fcede18477d012653c48c08a28ef602fb473e
SHA256

1658885122dedc5e759867f51d8147347fa34210dfdbb5a8a93bd06121d04a56
SHA512

232b2dbbca65288e874f1671077156b94bee7f9760714a39b9358117ee7f270bad45d0e5706a0ae0f07f57ad03bd2c74f80bcd820bfc7ae5b84435f75a9ad4cb
SSDEEP

393216:VFJf8xhCt2eEFs3RmW/DJynk1vgLzFLXm7WD:VmhClusv/l4kRg9b

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2512	setup.exe
1184	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2076	tmp.exe
2512	setup.exe
2512	setup.exe
2512	setup.exe
2512	setup.exe
2512	setup.exe
2512	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	setup.exe
2512	setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2512	2076	tmp.exe	28
PID 2076 wrote to memory of 2512	2076	tmp.exe	28
PID 2076 wrote to memory of 2512	2076	tmp.exe	28
PID 2076 wrote to memory of 2512	2076	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" "-sfxname=C:\Users\Admin\AppData\Local\Temp\tmp.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HprSnap.exe

Filesize
11.3MB

MD5
89688ae3cbec79485adffb15c69ea01f

SHA1
1f7057a01d6a47bd713e43b5da7eba5ebc00bdeb

SHA256
426e0ab1c529d6a5899fe6226691a4c7730181c6db2700374f69bb2af5f7a1af

SHA512
e95a80226ead55e01890fa00fd3d45e490acdda47917751bfe888a5b99e6ea08d0deae8dcf8987c88459a92ab6f2f03ddc66561438c2243a7a1a6f18c77e9c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
624KB

MD5
c754fa2eb5badc2c841133b30dd004e3

SHA1
d5ecc6acdac2412db16cef50e80661e4760c1415

SHA256
eb51ce24ca7651b66be304308d96f12cd21a967ddcfb4f258ea32762a0fef8d1

SHA512
1f29da4456b28395dc0b57bf87880cfdbe42ae5a3b4ca110e7bde6619b9602d4afa8291a7e86f26bd7af2082e8ba2f2ecaf9b64828e74456ad317d005fcac03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
94KB

MD5
6e34fc4a713c3fbd88e47ac188d2540d

SHA1
1877a17da406d147566168c56aac1eb576782b37

SHA256
d8faf8ebf360ed0b3b1a43877a04863f7e044b3d19b641d88737e0829d683b36

SHA512
848a1d9602210d7da0f6e4d7817af08dc02baac7eccf1cfaadaf3a24b55e1316e77c40672a6a1195797e525f448817e534ae200e99cdf548ee64a7996fbcec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
36KB

MD5
d76532f224b6648179b77525326e8754

SHA1
cb0a90adf84b9c19e750b166789452693f031053

SHA256
0d8217dbb0d52a3f8cd233b089131ca19aa6e0fc0c0fb10081f3c50761f5d15e

SHA512
721b4f0f55fbeefa394d3471c66d32e2f0f452f9977987450b1662b8e2e9a88d1b9c014b5f2a4b378d99f6fe4de6b5810f8b00157ae25b0de2a3bf3e211ea2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mfc140u.dll

Filesize
5.4MB

MD5
09d45d46f97b1b08450b58c943803746

SHA1
a9a8a6cd7df5035ec70fd931e18e8bc12dc990ff

SHA256
183c851a0dc535066811f33c16555f6319ffaacacd04d346758769931f61b19a

SHA512
02400b48b85837f6b9040bd896d632fcd98833177c9646989aff9ee95952a48378def03c3ad1f5611d77ca01c92f6bf13f5d54a73f3961c551a393d0f0933b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.5MB

MD5
8efa6d7a735e0ca6da719df3a532f312

SHA1
03b84953880737dee305b82cf6b7766d379d4162

SHA256
088b82ed18e501eb6806852c46eb91ed5ce4845a58bdd64e81ea52e70f66acd6

SHA512
35764ef8f230b90144363bc786e429a9e774af03b6fd962968097edb9fcb03f76b6edc16baf6bfdda79f311932279281b93b9a902eb0eb7fe3a897d4ff648011

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.5MB

MD5
8efa6d7a735e0ca6da719df3a532f312

SHA1
03b84953880737dee305b82cf6b7766d379d4162

SHA256
088b82ed18e501eb6806852c46eb91ed5ce4845a58bdd64e81ea52e70f66acd6

SHA512
35764ef8f230b90144363bc786e429a9e774af03b6fd962968097edb9fcb03f76b6edc16baf6bfdda79f311932279281b93b9a902eb0eb7fe3a897d4ff648011

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\HprSnap.exe

Filesize
11.3MB

MD5
89688ae3cbec79485adffb15c69ea01f

SHA1
1f7057a01d6a47bd713e43b5da7eba5ebc00bdeb

SHA256
426e0ab1c529d6a5899fe6226691a4c7730181c6db2700374f69bb2af5f7a1af

SHA512
e95a80226ead55e01890fa00fd3d45e490acdda47917751bfe888a5b99e6ea08d0deae8dcf8987c88459a92ab6f2f03ddc66561438c2243a7a1a6f18c77e9c29

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\HprSnap.exe

Filesize
11.3MB

MD5
89688ae3cbec79485adffb15c69ea01f

SHA1
1f7057a01d6a47bd713e43b5da7eba5ebc00bdeb

SHA256
426e0ab1c529d6a5899fe6226691a4c7730181c6db2700374f69bb2af5f7a1af

SHA512
e95a80226ead55e01890fa00fd3d45e490acdda47917751bfe888a5b99e6ea08d0deae8dcf8987c88459a92ab6f2f03ddc66561438c2243a7a1a6f18c77e9c29

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mfc140u.dll

Filesize
5.4MB

MD5
09d45d46f97b1b08450b58c943803746

SHA1
a9a8a6cd7df5035ec70fd931e18e8bc12dc990ff

SHA256
183c851a0dc535066811f33c16555f6319ffaacacd04d346758769931f61b19a

SHA512
02400b48b85837f6b9040bd896d632fcd98833177c9646989aff9ee95952a48378def03c3ad1f5611d77ca01c92f6bf13f5d54a73f3961c551a393d0f0933b32

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
624KB

MD5
c754fa2eb5badc2c841133b30dd004e3

SHA1
d5ecc6acdac2412db16cef50e80661e4760c1415

SHA256
eb51ce24ca7651b66be304308d96f12cd21a967ddcfb4f258ea32762a0fef8d1

SHA512
1f29da4456b28395dc0b57bf87880cfdbe42ae5a3b4ca110e7bde6619b9602d4afa8291a7e86f26bd7af2082e8ba2f2ecaf9b64828e74456ad317d005fcac03b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.5MB

MD5
8efa6d7a735e0ca6da719df3a532f312

SHA1
03b84953880737dee305b82cf6b7766d379d4162

SHA256
088b82ed18e501eb6806852c46eb91ed5ce4845a58bdd64e81ea52e70f66acd6

SHA512
35764ef8f230b90144363bc786e429a9e774af03b6fd962968097edb9fcb03f76b6edc16baf6bfdda79f311932279281b93b9a902eb0eb7fe3a897d4ff648011

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.5MB

MD5
8efa6d7a735e0ca6da719df3a532f312

SHA1
03b84953880737dee305b82cf6b7766d379d4162

SHA256
088b82ed18e501eb6806852c46eb91ed5ce4845a58bdd64e81ea52e70f66acd6

SHA512
35764ef8f230b90144363bc786e429a9e774af03b6fd962968097edb9fcb03f76b6edc16baf6bfdda79f311932279281b93b9a902eb0eb7fe3a897d4ff648011

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
94KB

MD5
6e34fc4a713c3fbd88e47ac188d2540d

SHA1
1877a17da406d147566168c56aac1eb576782b37

SHA256
d8faf8ebf360ed0b3b1a43877a04863f7e044b3d19b641d88737e0829d683b36

SHA512
848a1d9602210d7da0f6e4d7817af08dc02baac7eccf1cfaadaf3a24b55e1316e77c40672a6a1195797e525f448817e534ae200e99cdf548ee64a7996fbcec4f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
36KB

MD5
d76532f224b6648179b77525326e8754

SHA1
cb0a90adf84b9c19e750b166789452693f031053

SHA256
0d8217dbb0d52a3f8cd233b089131ca19aa6e0fc0c0fb10081f3c50761f5d15e

SHA512
721b4f0f55fbeefa394d3471c66d32e2f0f452f9977987450b1662b8e2e9a88d1b9c014b5f2a4b378d99f6fe4de6b5810f8b00157ae25b0de2a3bf3e211ea2fc

Download Submit