601d63103e7d4b41e066db1a99a0c3f353993751a87ca8460a39d33e8ee8af94

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Top Password/unins000.exe
Size

1.2MB
MD5

dd67786f854894db433ea687fd687f3b
SHA1

fae38fe891303a6fd38de6e19740baeb92c388d1
SHA256

0e3a895a64fd35a4786beaea130cdf6b3b5534a466622de6fe9fe4edf66ed98a
SHA512

a6fbbe3712619d7417dea78dfa38c78857c9f63b49252a235038fb6d2adf277b5fda5b1f487c67b7e151261064ca8ca0b7c6b8f17549ab93009e8cb915772adf
SSDEEP

24576:2nbbPImgK4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEt0qx9R8:8HeKh4nqzF3PYdStp0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4244	_iu14D2N.tmp

Executes dropped EXE 1 IoCs

pid	Process
4244	_iu14D2N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4244	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4244	4356	unins000.exe	89
PID 4356 wrote to memory of 4244	4356	unins000.exe	89
PID 4356 wrote to memory of 4244	4356	unins000.exe	89

C:\Users\Admin\AppData\Local\Temp\Top Password\unins000.exe
"C:\Users\Admin\AppData\Local\Temp\Top Password\unins000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
  "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Local\Temp\Top Password\unins000.exe" /FIRSTPHASEWND=$D0044
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
192KB

MD5
58e86c71b7aed34259f8a657b344d294

SHA1
d91a313d1c0d8cd42f32583aed4f480994bb9b4d

SHA256
3833f2cdec0ab24703fc81e34c52fa1c572d092e6b665fa623a2ecbb4a7424a1

SHA512
6cf7b4f92d34ed7c14a76e9bd9363f2670e05c026df029d95d55346e5247fa4cbd38417f87bee15b41bbf88d40a1ed55c71f49a03105136d2bc24e5a6f5216de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
14KB

MD5
605ac30193878e848f9c4432f2cfe455

SHA1
eb999e89ca47fdc75553afd714e94dcb309044e1

SHA256
785b9c0e492d1981860ac6d82662924303b7fc3b3188d448e4d0e7a46f0ef150

SHA512
82a24141c2ad5321be1ab035466675bac0dcad3e652775f2ed2ec27b19f537f7b21f0626fc475b5310ef7b73269ff8524c4a7139f61adbb4f1e36130b4b672f9

Download Submit
memory/4244-6-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4244-9-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4244-11-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4356-0-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4356-8-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download