3a46c2c184b1d7f27db429a8773808e233756bf70a77dde100873d9418470d0a

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 03:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

035b0e7cc316085558d881cdc58a3148.exe
Size

896KB
MD5

035b0e7cc316085558d881cdc58a3148
SHA1

4a7d4e202f48e6dfe751324bb3559e95bed4ea38
SHA256

3a46c2c184b1d7f27db429a8773808e233756bf70a77dde100873d9418470d0a
SHA512

23ab5bfbf29d299fd9765da45cc5ae6a7ea2c0e852c71bc23541771cf46a5dc17d5503ca1d1af57445b90bf84066c3c574a9b1139545ec41034fd9c314214fea
SSDEEP

24576:l5avJ3sbzCzKog8Gb55XQxQgwXltFyX0S:rQ4mzKog8wBQxQjL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	nsrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2624	035b0e7cc316085558d881cdc58a3148.exe
2624	035b0e7cc316085558d881cdc58a3148.exe
2752	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	nsrss.exe
Token: 33	2860	nsrss.exe
Token: SeIncBasePriorityPrivilege	2860	nsrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	035b0e7cc316085558d881cdc58a3148.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2860	2624	035b0e7cc316085558d881cdc58a3148.exe	28
PID 2624 wrote to memory of 2860	2624	035b0e7cc316085558d881cdc58a3148.exe	28
PID 2624 wrote to memory of 2860	2624	035b0e7cc316085558d881cdc58a3148.exe	28
PID 2624 wrote to memory of 2860	2624	035b0e7cc316085558d881cdc58a3148.exe	28
PID 2860 wrote to memory of 2752	2860	nsrss.exe	29
PID 2860 wrote to memory of 2752	2860	nsrss.exe	29
PID 2860 wrote to memory of 2752	2860	nsrss.exe	29
PID 2860 wrote to memory of 2752	2860	nsrss.exe	29

C:\Users\Admin\AppData\Local\Temp\035b0e7cc316085558d881cdc58a3148.exe
"C:\Users\Admin\AppData\Local\Temp\035b0e7cc316085558d881cdc58a3148.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\nsrss.exe
  C:\Users\Admin\AppData\Local\Temp/nsrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 540
    3⤵
    - Loads dropped DLL
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsrss.exe

Filesize
528KB

MD5
f239be94d5e503d5702a5a5d496cc782

SHA1
3b3ef9c0f15568aba930ecac3837699112ba1762

SHA256
e85969cde473d642a5303a46f746b0fdf9ca89f72da9b11856fe12413299f315

SHA512
6f8db0244f921db49972868430017fb11841c6fa981fe635d0d83f54aca498828932875ab2161a03b48bb36c2df5b0ce89a3219da0454309eb67f13ad69e31c1

Download Submit
memory/2752-15-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2860-11-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-12-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-13-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2860-16-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download