295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe
Size

1.8MB
MD5

1550223343412e825e990ad6a379bbac
SHA1

74c8ae505ea7903d1f64b32d9d99c45384d5108a
SHA256

295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6
SHA512

12735f088d28f1f37ded33ba485d1664162ad929f1dee2f934f7eb93fd9460736e0a56de5c2013b3a4a69a56b29af477a03e80b32062a887397636755f48857c
SSDEEP

49152:mDkUrjQM48biu1p45Hvs6wnwi3GBQnkJUwKcIwMtv/ifY2jm:m4U14Ic5OWPzKcqvqpm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2912	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28
PID 1580 wrote to memory of 2912	1580	295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe	28

C:\Users\Admin\AppData\Local\Temp\295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe
"C:\Users\Admin\AppData\Local\Temp\295e3730f406ead5b0e2fd50cca093d6c0a00571986b36064f6007428a7123e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /S 03Ny.f
  2⤵
  - Loads dropped DLL
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03Ny.f

Filesize
1.6MB

MD5
a43ff35c7207692b8905d3e26166a40b

SHA1
29ec11517743d535f019af797d6be971d833fa9c

SHA256
e51e476ee334e56af9b4fb77a733557cd8043f7d10676c63218c37a2a46e0c6d

SHA512
65d584376f0def3b68d7397f3a901914ff2a055ad283e51c2f91336f1e25816033b89fb532bbafa01f12fefe23671abe071cff7a59f04debd370c029a45a13ba

Download Submit
\Users\Admin\AppData\Local\Temp\03Ny.f

Filesize
1.6MB

MD5
a43ff35c7207692b8905d3e26166a40b

SHA1
29ec11517743d535f019af797d6be971d833fa9c

SHA256
e51e476ee334e56af9b4fb77a733557cd8043f7d10676c63218c37a2a46e0c6d

SHA512
65d584376f0def3b68d7397f3a901914ff2a055ad283e51c2f91336f1e25816033b89fb532bbafa01f12fefe23671abe071cff7a59f04debd370c029a45a13ba

Download Submit
memory/2912-5-0x0000000010000000-0x0000000010198000-memory.dmp

Filesize
1.6MB

Download
memory/2912-4-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2912-8-0x0000000000DD0000-0x0000000000EEE000-memory.dmp

Filesize
1.1MB

Download
memory/2912-9-0x00000000023D0000-0x00000000024D2000-memory.dmp

Filesize
1.0MB

Download
memory/2912-12-0x00000000023D0000-0x00000000024D2000-memory.dmp

Filesize
1.0MB

Download
memory/2912-13-0x00000000023D0000-0x00000000024D2000-memory.dmp

Filesize
1.0MB

Download