554be87dfb5b238eedbf7f57d7ee837252e521d289ec5f365489c234f3024931

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f895f3e1fe22acab1c325a563c69ccb.exe
Size

134KB
MD5

1f895f3e1fe22acab1c325a563c69ccb
SHA1

18212557bc8f96c93cd113f1bd439f811a3a00a4
SHA256

554be87dfb5b238eedbf7f57d7ee837252e521d289ec5f365489c234f3024931
SHA512

9edd25550c0935b38d6cd82f4ab607eb37702aa43e36a737da63d54ebd773e73d57e03db14d108440fe0a920a364de403c959245d75b94b3a586e79cd5c04db1
SSDEEP

3072:HnOn7t7XpdpCCTg/sxFgJseq8KECcRVRF7mixOuyscgDYP:HKpdcCrTv8KtcxF6UOuyjgEP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	downloadmr.exe

Loads dropped DLL 3 IoCs

pid	Process
1364	1f895f3e1fe22acab1c325a563c69ccb.exe
1364	1f895f3e1fe22acab1c325a563c69ccb.exe
1364	1f895f3e1fe22acab1c325a563c69ccb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2844	1364	1f895f3e1fe22acab1c325a563c69ccb.exe	17
PID 1364 wrote to memory of 2844	1364	1f895f3e1fe22acab1c325a563c69ccb.exe	17
PID 1364 wrote to memory of 2844	1364	1f895f3e1fe22acab1c325a563c69ccb.exe	17
PID 1364 wrote to memory of 2844	1364	1f895f3e1fe22acab1c325a563c69ccb.exe	17

C:\Users\Admin\AppData\Local\Temp\1f895f3e1fe22acab1c325a563c69ccb.exe
"C:\Users\Admin\AppData\Local\Temp\1f895f3e1fe22acab1c325a563c69ccb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\nso17A8.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nso17A8.tmp\downloadmr.exe /e2406373 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
  2⤵
  - Executes dropped EXE
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso17A8.tmp\downloadmr.exe

Filesize
94KB

MD5
18c1e3766e0d6197eb45f6dc1e910a04

SHA1
b95a04ff5097c0a12e4dbd609657bd052fbc8136

SHA256
aac2074d27ecef3b9b756cc581041aed3466c68720a041f1892bbafb1c58ae9e

SHA512
035ecb3b281c11ea6a5673f81cf32c995e6b0c9985a3c6fbcfc8531b8ab37ab45edde1672dc22223d43e1dc1930ffa6d29e243e7df5c8b7c1c7c5bf30b6c27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso17A8.tmp\downloadmr.exe

Filesize
135KB

MD5
fb753ca8f8abe185c761c5a729552f05

SHA1
d87aeac1b5c45792997dd6da20687c2a60072665

SHA256
d9b21b59169dc040c604bf10bf53521633fbe54911a32ae9ea78136297f3c454

SHA512
271be08c81bc23ecf3ab0c6355f7c171cbd227b773b1cde3ff6389ea01246952bee4d8c213f4e2428ff6f62510dfbe609c66f079e0d4b03c148894989061ac15

Download Submit
\Users\Admin\AppData\Local\Temp\nso17A8.tmp\System.dll

Filesize
21KB

MD5
5ebc73650256e9c8ddbcda231db829a1

SHA1
988d4535e18754ab2a6248abae96c5697d7dbcd5

SHA256
1eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493

SHA512
b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270

Download Submit
memory/1364-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-89-0x000000006E3C0000-0x000000006E3CD000-memory.dmp

Filesize
52KB

Download
memory/2844-84-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2844-83-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2844-85-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2844-87-0x00000000068F0000-0x00000000069F0000-memory.dmp

Filesize
1024KB

Download
memory/2844-86-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2844-15-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-17-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-90-0x0000000074A70000-0x000000007501B000-memory.dmp

Filesize
5.7MB

Download
memory/2844-16-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download