e0ba08f7e45c59be55719a3954ec51b1c1a077291a2850cd80107d2b656c71a8

Analysis

max time kernel
0s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152e82bb36b1c25cd89bbe14b76ece27.exe
Size

2.0MB
MD5

152e82bb36b1c25cd89bbe14b76ece27
SHA1

434fd6402e04a72438d9160db03c2d8492dc7d7b
SHA256

e0ba08f7e45c59be55719a3954ec51b1c1a077291a2850cd80107d2b656c71a8
SHA512

cb737d7c4e657f7df3fdaf67d1b1cf05ddb0692790fc21a23e2163ae0552eaae84cbfd971f6dbef2accb620d4f97785508c8c032bf3c879177c5c1d47f9b4f4f
SSDEEP

49152:0HWTNzzJOoX7OI+Rg+LdT6nyzm+ePW7UqNXoCccEkLGIay1v16+DOf4zfFLu3:0HqzJOoX7OI+Rg+LdTYyzmLPYNXoCJKR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1408	reg.exe
3592	reg.exe
3840	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe
2292	152e82bb36b1c25cd89bbe14b76ece27.exe

C:\Users\Admin\AppData\Local\Temp\152e82bb36b1c25cd89bbe14b76ece27.exe
"C:\Users\Admin\AppData\Local\Temp\152e82bb36b1c25cd89bbe14b76ece27.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  PID:3764
- C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
  "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
  2⤵
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  PID:4220
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\AVATAR196912_94.GIF
  2⤵
  PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
1⤵
PID:4640
- C:\Windows\SysWOW64\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
  2⤵
  - Modifies registry key
  PID:3840

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
1⤵
- Modifies registry key
PID:1408

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
1⤵
- Modifies registry key
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
1⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
1⤵
PID:1264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:2
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDD6F.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
150B

MD5
1265b09eaea9e3c69fe1f6a4e8b00e6e

SHA1
44face1bde83d56e9d8906c6661a7fae05e330c6

SHA256
9f67284e85933ba4412c4ab49c0638af67b6ee4db37f7c8d91bff97823dc6068

SHA512
30574540682fb600fba844cf1e9b11205c3ac2eb64cfc661a07b8782938715ca4ccdd3ec5fcd2c0f18e34f2678c374adeca6f180ba792ce36826940b7188a57a

Download Submit
C:\Users\Admin\AppData\Roaming\RUNDLL.EXE

Filesize
77KB

MD5
2d1a0751ad853d1434c2a01588db73ac

SHA1
0a1eda8fb615a6c504ca299856159cce86cbe3d2

SHA256
a73478bf96d9a5351a4cf414cb167d40edcb5a84567a887c9ad9047bf4ceda7d

SHA512
0f627811f4f1f74746b851bd73dc93a478734ad669a4a5ae02de1d954dd38767aa503e056b8d994ae1b141632fbd1d758e05898a44f432e89812129af4b62e40

Download Submit
C:\Users\Admin\AppData\Roaming\avatar196912_94.gif

Filesize
88KB

MD5
5de50401c038ab538bde385b9eaaf042

SHA1
1c720841d9ea5f0acc8b7e64c0f570bd510c85c2

SHA256
bc4c5f2228f650004b026b6f834df8761be1c0230f7599bbe0a7fc0dda5c777c

SHA512
0bea1a20fce4f0d1e1be935c6c18f678fdbf306fc8a86608cb2b04b16f06ed37a9e31a12c992289dcd1a7cc9907b508c4138aa0e08a9eaf517fd31f47590284b

Download Submit
C:\Users\Admin\AppData\Roaming\avatar196912_94.gif

Filesize
44KB

MD5
6183668a6cbf73afe61e70a124dd2c17

SHA1
d295c4bd859a8b235590c1f294e90f6275d29287

SHA256
de47ed447f6202cbbaec9c05c03d24100da3447ceb30d4d19afe8c3f79d764a2

SHA512
13aca8d5b6f49e2ecc3ba77fe08bc31cdf2baff4e4e97f4fae842651a9e35e75f7a6b987d74bdcca4bb414fe34612b50d0dc506a144c806a96d913da50dc8115

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
32KB

MD5
d32b07844cb85f572092ec39d1c06f78

SHA1
d74c66309219abdfc492fc5f4adcb90e615c918f

SHA256
077b44c43ca40ff76cbce6f5d3f5d7698d3c42a264bb04b1fce597a968c5e44f

SHA512
a88377493db32cbcbb2de9e95d78735df7dc57901189223311d6796b97b570c76be4e270ac1e0d271b70ccd8683b82cbc947580364cb9c056150135b3884b0b9

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
42KB

MD5
a3130fbd1fc3effc83f362584871dcda

SHA1
140c51aa3a98b18500deeb0b75213eb257505666

SHA256
247054ad6e731cb1489117e0eba411fab1366d8bfd460abb245a16fe47af2c58

SHA512
66b5cee3700b6a4dbd9ea4b45ddb8fdbc4d7055cf95f7f34f57ed23f6c1e9e4d259a05c2db47e97f38dc5185b0c6bfdcf56599124261abdc60e4499e2467ae50

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
42KB

MD5
fd529bbe7a53ea1ea6dad898bbdbb0e6

SHA1
13fe9c0a9046bb95dc62d4cbcc8ec8817f90b53b

SHA256
45a5d0a7690d263bee1550165bded97347ea298773552be2b02f2942425f8a2f

SHA512
8e38886a966bc30098528a1fb6c62365978d0f93daa780876d1bbd8ee4eb28a619546eee93cf07fa2f24148500612c261999a5adf7017ee8bcd9fdddb4cf59e7

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
17KB

MD5
845066a350664614d1debd9056d70519

SHA1
88ba41fae9bd9b050eb4ed4c35c4ffb8c4306fdc

SHA256
9974380c5a1a2b7d26be35ad2b29bce5cfafbbd72f9192c40ecb40e14385fb20

SHA512
902194fcd706a353960946b7bc80be90693efb0281ddb8b745ea5471dfd0a297a6f3a1bc7b9c2356497644cb7322c45928e1137eca7094f4b193353535e10af9

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
92KB

MD5
2677fc250ef707f4a71868ede9bcd86a

SHA1
ae49ef4855b95d8c7b95d002b33629953c53c541

SHA256
5022e4be30b79c01e4d8b08ae7a99a03b732dfe447a7be9f8e8581737e66fd19

SHA512
9d09c876a1211cbef268af64aa46f297eab34da3cc1b67b1a4d4a5824588d5d85746ec749d5a0f61d3f97d8c1e995b63e7ad4a35fcc9ded3aac5f62edf53f1f2

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
37KB

MD5
fba7438b6d672a6d0dc241bf0d9d342f

SHA1
bb1b4451c27729df9c9ce68c9815579e8f458d02

SHA256
78c52d2d8c47a45d6c0770cd3a85c788b515aeebd7081136bc8bebd1c3ff2d3a

SHA512
5022a699f7579591cb8187f694c84b8e0413bd99d40f93257a455578682eb8404760403a117e6fbff1aeff8a8060be9603f4ad636f8189156fd2cd97c5b86606

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
74KB

MD5
3e018c73f4b9b11411ba5b21199e571e

SHA1
08c9e76175a299c466c0217693be7ca24518e9f7

SHA256
af6adecd57512b58e8caf08241ceb849b5b52f3daf7ff8dec793ad781209e9d2

SHA512
23db34c9431c5888118ce3e5726ce9c0f2894d69ae3595d03d027298cd9453896a04fcb1a55b9b7c097a53bb7fc79cb28357a2af962f2fe8fa8d7c45ec882c16

Download Submit
memory/1860-27-0x0000000000540000-0x00000000005CC000-memory.dmp

Filesize
560KB

Download
memory/1860-35-0x0000000000540000-0x00000000005CC000-memory.dmp

Filesize
560KB

Download
memory/1860-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1860-29-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2292-28-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download