554be87dfb5b238eedbf7f57d7ee837252e521d289ec5f365489c234f3024931

Analysis

max time kernel
1s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f895f3e1fe22acab1c325a563c69ccb.exe
Size

134KB
MD5

1f895f3e1fe22acab1c325a563c69ccb
SHA1

18212557bc8f96c93cd113f1bd439f811a3a00a4
SHA256

554be87dfb5b238eedbf7f57d7ee837252e521d289ec5f365489c234f3024931
SHA512

9edd25550c0935b38d6cd82f4ab607eb37702aa43e36a737da63d54ebd773e73d57e03db14d108440fe0a920a364de403c959245d75b94b3a586e79cd5c04db1
SSDEEP

3072:HnOn7t7XpdpCCTg/sxFgJseq8KECcRVRF7mixOuyscgDYP:HKpdcCrTv8KtcxF6UOuyjgEP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	downloadmr.exe

Loads dropped DLL 2 IoCs

pid	Process
4008	1f895f3e1fe22acab1c325a563c69ccb.exe
4008	1f895f3e1fe22acab1c325a563c69ccb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 1704	4008	1f895f3e1fe22acab1c325a563c69ccb.exe	24
PID 4008 wrote to memory of 1704	4008	1f895f3e1fe22acab1c325a563c69ccb.exe	24
PID 4008 wrote to memory of 1704	4008	1f895f3e1fe22acab1c325a563c69ccb.exe	24

C:\Users\Admin\AppData\Local\Temp\1f895f3e1fe22acab1c325a563c69ccb.exe
"C:\Users\Admin\AppData\Local\Temp\1f895f3e1fe22acab1c325a563c69ccb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\downloadmr.exe /e2406373 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
  2⤵
  - Executes dropped EXE
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll

Filesize
12KB

MD5
23292fc6a56dd0f55a222788c44c19e2

SHA1
12bdb9899c40d0bd45d82623d71f1b1239468b3c

SHA256
32bcbd878fc3249c29a17b3aaa1c263ff9ed34bb0f9226a45ac2ff2d3b40e204

SHA512
530e3408dd695807a03a6640f84aa545dc178d416fde0b0838b0bfa7b9778a8042977fb191be722b4bc8e46842b06715cd0b8289170f7a1f8432f82a99275d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll

Filesize
21KB

MD5
5ebc73650256e9c8ddbcda231db829a1

SHA1
988d4535e18754ab2a6248abae96c5697d7dbcd5

SHA256
1eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493

SHA512
b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll

Filesize
17KB

MD5
e463805a3f15ad44bef97210a08c0bb5

SHA1
41429d8d2b065e360fc225853ad13950a36220e5

SHA256
184dd6a97c0e98693aad016ee58dbd2f0754aec0eb71c21e8083e2c33d0149d9

SHA512
dd731f0edf02371e482e249fb3e129d4779362091596ead4e38db3038aa496145c42e0116877d7fa27f0cf3adc17f439c14311df6aa004e93ff66f1888385e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\downloadmr.exe

Filesize
26KB

MD5
e40eb4439f4f2f20a1b563a5cf1bc0b9

SHA1
08a32485240672310d2c7e6f34e2e9046cf94f61

SHA256
e34e6d94d661d29e3704145991615d27bb07e74bb60d05a583217ac5dd874b49

SHA512
5dad156328635add0bf00cbf08930c57933d6f5fa9316ba5605706c064455cc171bc6e5a5170e1d50ab49ad8fe9e24913801cf7af1dd604540444b4453a39f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\downloadmr.exe

Filesize
74KB

MD5
6be2b69cbabed33d36d9b4f007f6c649

SHA1
69df502cc5f693f580d26061c7fea63488f2e4e6

SHA256
9b8e3aeb6e862b9a1c2be23c4d10e116a79edf1729fe8215215a8d02006a8797

SHA512
4dd43ba181047e9473e5bd23226da71da331b3704967fd0487c3de5d2fe24d08d0c4346880467710ef1268e7cbc1ecaa7de0ef4d818d747fc80804110d8bdeb2

Download Submit
memory/1704-14-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/1704-15-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/1704-13-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/1704-27-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/1704-26-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/1704-28-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/1704-32-0x0000000074040000-0x00000000745F1000-memory.dmp

Filesize
5.7MB

Download
memory/4008-30-0x000000006E3C0000-0x000000006E3CD000-memory.dmp

Filesize
52KB

Download
memory/4008-29-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4008-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download