5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe
Size

2.0MB
MD5

fc59c6ba39946ca20b5aba3757723e30
SHA1

a390aca4e1d05431467f3401ff1c8a8a7745440f
SHA256

5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc
SHA512

1ff91a9429ed99ff85b6535c3ef3325fb359d308053bdd6f5b169b6f6da6bc83d876822d4251ebdc1405895ccf733983e8b923c6043b78f3a111ad83b499812d
SSDEEP

49152:xWhlkLBfJXAEXmTVUnGpyNuDCWu032AZiiJmoOk:xWhl0BfKE2TV/pyuDCWuM2AZiYm1k

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2088	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28
PID 2216 wrote to memory of 2088	2216	5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe	28

C:\Users\Admin\AppData\Local\Temp\5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe
"C:\Users\Admin\AppData\Local\Temp\5e1fad1e14214bce3dd50e290e87ea01168d3a81091e5a7bc8425e8b77a218bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s N7o47.uK /u
  2⤵
  - Loads dropped DLL
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\N7o47.uK

Filesize
1.4MB

MD5
24e7e75cab8a75515cf7e3bb7b8af347

SHA1
cd80b5d8873fbe8761dfc0efe6f85c914b1aa0b7

SHA256
acff6e0610226d7fd1c22db0297aceb426d8ccdf2cd28135d2370ec70563fc43

SHA512
cdd857ec69df9d6688397b2f838477d9958d728f38eabf52e4d343dac3d37ffa3ca5bf93504bd25e7480a11e391ee60b1bf9a7ec99f168ad6c4f3a3fbf6f757a

Download Submit
\Users\Admin\AppData\Local\Temp\N7o47.uK

Filesize
1.4MB

MD5
24e7e75cab8a75515cf7e3bb7b8af347

SHA1
cd80b5d8873fbe8761dfc0efe6f85c914b1aa0b7

SHA256
acff6e0610226d7fd1c22db0297aceb426d8ccdf2cd28135d2370ec70563fc43

SHA512
cdd857ec69df9d6688397b2f838477d9958d728f38eabf52e4d343dac3d37ffa3ca5bf93504bd25e7480a11e391ee60b1bf9a7ec99f168ad6c4f3a3fbf6f757a

Download Submit
memory/2088-4-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download
memory/2088-5-0x0000000010000000-0x0000000010164000-memory.dmp

Filesize
1.4MB

Download
memory/2088-7-0x0000000010000000-0x0000000010164000-memory.dmp

Filesize
1.4MB

Download
memory/2088-8-0x0000000000CF0000-0x0000000000DE9000-memory.dmp

Filesize
996KB

Download
memory/2088-9-0x0000000000DF0000-0x0000000000ED0000-memory.dmp

Filesize
896KB

Download
memory/2088-12-0x0000000000DF0000-0x0000000000ED0000-memory.dmp

Filesize
896KB

Download
memory/2088-13-0x0000000000DF0000-0x0000000000ED0000-memory.dmp

Filesize
896KB

Download