0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe
Size

1.6MB
MD5

d4fb44bf4974c88fa13fbda528992a0d
SHA1

18d9bcffa7b2372bca4ab13eaee08e925b68cfa6
SHA256

0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb
SHA512

ced3dda0101f6753c5d2cd03f9dccd830312f36f0b732f4ab84a5ceea54e57d9a35a78862f0b206b52eb36cc8a35e66c73043b126d8dacf6db8fd261acaf766e
SSDEEP

24576:CGn8xjmViXYMnAN7Qvgq93kQLWT3WQL9uha+SiNeibg1x7AgjljnwWgb/RiDJwTN:CvxfXTANMLLWDtLSa+xDeAgjlHgtiyuS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2332	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28
PID 2624 wrote to memory of 2332	2624	0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe	28

C:\Users\Admin\AppData\Local\Temp\0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe
"C:\Users\Admin\AppData\Local\Temp\0ddb7999190c5af4a17b79963203c5ea63903e2d6cb0773f7e809c4e1d5a31cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /U -S .\LpH0dGGB.LP
  2⤵
  - Loads dropped DLL
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LpH0dGGB.LP

Filesize
1.4MB

MD5
9fab521111943372140fc72f81812369

SHA1
dd1ac64fdc2ea6e7c41fa506cdfd86c6c659c759

SHA256
12c41acc5cfe0dcfc3c2379b13d0447afd3beaf061009f75335e5dfd79a8d368

SHA512
8d791b2374ba2b18ed4544011550dba8a9dae72e4f6007b5efef07467ed81f3a0258bf88aae0cb4d1bfdeca5ca7b99dbef5837e91cf7b716720591d8c0585f02

Download Submit
\Users\Admin\AppData\Local\Temp\lpH0dgGB.lP

Filesize
1.4MB

MD5
9fab521111943372140fc72f81812369

SHA1
dd1ac64fdc2ea6e7c41fa506cdfd86c6c659c759

SHA256
12c41acc5cfe0dcfc3c2379b13d0447afd3beaf061009f75335e5dfd79a8d368

SHA512
8d791b2374ba2b18ed4544011550dba8a9dae72e4f6007b5efef07467ed81f3a0258bf88aae0cb4d1bfdeca5ca7b99dbef5837e91cf7b716720591d8c0585f02

Download Submit
memory/2332-5-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2332-4-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2332-10-0x00000000020F0000-0x00000000021F3000-memory.dmp

Filesize
1.0MB

Download
memory/2332-11-0x0000000002200000-0x00000000022EA000-memory.dmp

Filesize
936KB

Download
memory/2332-14-0x0000000002200000-0x00000000022EA000-memory.dmp

Filesize
936KB

Download
memory/2332-15-0x0000000002200000-0x00000000022EA000-memory.dmp

Filesize
936KB

Download