4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
Size

2.9MB
MD5

3a7c74b87bb61d6d49081279f27961f0
SHA1

d42f28f20d92f0b78eca9091731ce70c6ae6bb39
SHA256

4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0
SHA512

f99f7b0432fd06b2fe8b6025b2ef3a2e2ebe8e90f82e58cfb9dd7dc8ca311bf22eed8476157df7a5b8ca00b9f66f4d4d0f4598492f7aa4316e4dd16cf1fb35c3
SSDEEP

49152:A1zSZArgfNNUdnmienLW84qo31SJLwd8mPpc1l:AYAryNGdnmnL7oEJMdnhc1l

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
File opened (read-only)	\??\e:	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4504	452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe	98
PID 452 wrote to memory of 4504	452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe	98
PID 452 wrote to memory of 4504	452	4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe	98

C:\Users\Admin\AppData\Local\Temp\4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
"C:\Users\Admin\AppData\Local\Temp\4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe
  "C:\Users\Admin\AppData\Local\Temp\4d4099dce2b54a5f24102b31c929e178f127bb29b815fc99d135ee09df3b49e0.exe"
  2⤵
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RxjhBK.dll

Filesize
24KB

MD5
6ac7a7395d33191a12562eef94eee877

SHA1
ce1b21de4be49e80b39fb78d253e676d05c53855

SHA256
b308ce63403dfe11fc0a51fa6a255c86bef57d7b45c42aa4d0ff4191f0e8ee77

SHA512
ceac9f6b265a18cbd6bbc67a68e95c406d6cf8c40fb790e5750aee547916087eab59a7c646d10f37280654d716389dfec16658bd2d022f4ddc9a1879085475ea

Download Submit
memory/452-12631-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-3875-0x0000000076680000-0x0000000076820000-memory.dmp

Filesize
1.6MB

Download
memory/452-5884-0x00000000755F0000-0x000000007566A000-memory.dmp

Filesize
488KB

Download
memory/452-12629-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-12630-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-12633-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-12635-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-12636-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-1-0x00000000750C0000-0x00000000752D5000-memory.dmp

Filesize
2.1MB

Download
memory/452-12642-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/452-12644-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download