2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe
Size

1.6MB
MD5

638ca8564eb961991d8500eddd016e81
SHA1

6d2d10a01ca76239c3af8e63c22bbe8dc7b1f483
SHA256

2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530
SHA512

e591dd61512d56ac4ceb991fde58ed1f3f43a0289cb03d8ed4296a16d61e2751c44b3e6ab555484b2394dbe14a674021190eece8fb526cc45e53521a82ef90f0
SSDEEP

24576:CGn8xjmViXYMnnbmTh2RR/QlicilNCTnkUYYeidUTTtFWMGjAMCE59T17yPVKsog:CvxfXTnF6ic2AdkTqAMh6KvaR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2216	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28
PID 2980 wrote to memory of 2216	2980	2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe	28

C:\Users\Admin\AppData\Local\Temp\2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe
"C:\Users\Admin\AppData\Local\Temp\2496c584b7fbdbd2fabb3aec3c38dbeae1c58bc2cdba76b5b654748f555c1530.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s .\5FdKDn.kWW /u
  2⤵
  - Loads dropped DLL
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FdKDn.kWW

Filesize
1.4MB

MD5
85aaec4805ffe591ea9b80da3a72182e

SHA1
e37ac905aafb9d789eb8654d58c44f0db66d14e9

SHA256
3fff1aded4d83b84908bb28e3e4fce66d71cb5f41a7493db97122e84583fccd9

SHA512
6a387698dd7734dff98e5b5b4dfbd8e0f35ca915881b647f8e48fbc5d8dbc0883452f0fdef71a07eecac05c3d67a7b92347f3767a716348329765b0417aa1713

Download Submit
\Users\Admin\AppData\Local\Temp\5fdkdn.kww

Filesize
1.4MB

MD5
85aaec4805ffe591ea9b80da3a72182e

SHA1
e37ac905aafb9d789eb8654d58c44f0db66d14e9

SHA256
3fff1aded4d83b84908bb28e3e4fce66d71cb5f41a7493db97122e84583fccd9

SHA512
6a387698dd7734dff98e5b5b4dfbd8e0f35ca915881b647f8e48fbc5d8dbc0883452f0fdef71a07eecac05c3d67a7b92347f3767a716348329765b0417aa1713

Download Submit
memory/2216-4-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/2216-5-0x0000000010000000-0x000000001015D000-memory.dmp

Filesize
1.4MB

Download
memory/2216-7-0x0000000002170000-0x0000000002276000-memory.dmp

Filesize
1.0MB

Download
memory/2216-8-0x0000000002280000-0x000000000236E000-memory.dmp

Filesize
952KB

Download
memory/2216-11-0x0000000002280000-0x000000000236E000-memory.dmp

Filesize
952KB

Download
memory/2216-12-0x0000000002280000-0x000000000236E000-memory.dmp

Filesize
952KB

Download