239c15afefb695afbdb1a5594b1932d8b7ed6ae52316510f96eaf06d93d7f637

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e8cbef6a9686ef140df6ea72ca7e91.exe
Size

878KB
MD5

16e8cbef6a9686ef140df6ea72ca7e91
SHA1

d8561e4a7be2f96a8390746f30f2c33aa5609b65
SHA256

239c15afefb695afbdb1a5594b1932d8b7ed6ae52316510f96eaf06d93d7f637
SHA512

b7698b65f6bf954a950a1c890da7e8aa758c5c4f83cd5429c57cf702c22ef9b1ec380f3b7319252330d9eae87ae2bb5c080278b90ac64638257663424a55ad5f
SSDEEP

24576:Mrb6BeG7lxoGMr8nYWHMLIuSPZArUWX0HAq5nsUHJRROkf:+DGBnlHMLIxZArU0kdBsGJ/P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	b014b9dfac72f558d25c1c44d4bf5652.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	16e8cbef6a9686ef140df6ea72ca7e91.exe
2040	16e8cbef6a9686ef140df6ea72ca7e91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28
PID 2040 wrote to memory of 3060	2040	16e8cbef6a9686ef140df6ea72ca7e91.exe	28

C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe
"C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe
  C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe
  2⤵
  - Executes dropped EXE
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe

Filesize
778KB

MD5
9b2f7e680d811e22d3d9c25d4b3190ef

SHA1
cade75e9eeebc918167941a5fc06e62b0f1b5d12

SHA256
247d863a3328ff308da71b6d5dc4b7cdab283c59d3582e398066d6ce1c41279a

SHA512
87325695b342c4f386877e6633a53356dd8a3101ab5997b71fc12886203b16caa2bd1f659cdb6032a59ec24b8acc63621e9512a0d0d4b846fb38a36e2d6869ea

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8A9.tmp\nxs.dll

Filesize
6KB

MD5
8ca09b6200ffa05b54c6672d855beb4a

SHA1
daa16fe49c8b2250e9d2383b861cda51f876de49

SHA256
033e93ad470241c92762924ccfceafb849a525e263e5d4a3dbcfc2e07a8803c3

SHA512
6ab97181ec45430888d8ad3fd411de22423e1c057833e282af085a975198338c95f7ba10b7c69f33298afc88ddd38d01ab010998fd4a8ba8abb8561796bf9f14

Download Submit
memory/3060-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3060-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3060-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download