e23085192c74910f8c5b78b146a89872fc5a787a39be975c7765ec4f19bcfbd8

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054202da3c3b3983abca54163c8ac3f4.exe
Size

1.2MB
MD5

054202da3c3b3983abca54163c8ac3f4
SHA1

219b2543ba790f8e656d5066257ac038ae3bb7f1
SHA256

e23085192c74910f8c5b78b146a89872fc5a787a39be975c7765ec4f19bcfbd8
SHA512

0e67942b3b8f45aa02fea3d9f56e8536c1c3f979a3b7a39f7d883e0092a0e5e98bf1f6d70e18d660762ff4fe8e14c5cef8ddc4f13b494626f18cfe78f306508b
SSDEEP

24576:JI39dRnmVyvTZfR9GpD+61NCRaL0VT+Su5xA8YYUdUgSVsRmCvoh6Y2khpJ:J6dRnmws+CNC0I0nA8A+gSVSm1rDh3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	is-H3PNL.tmp

Loads dropped DLL 3 IoCs

pid	Process
2028	054202da3c3b3983abca54163c8ac3f4.exe
2328	is-H3PNL.tmp
2328	is-H3PNL.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	is-H3PNL.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28
PID 2028 wrote to memory of 2328	2028	054202da3c3b3983abca54163c8ac3f4.exe	28

C:\Users\Admin\AppData\Local\Temp\054202da3c3b3983abca54163c8ac3f4.exe
"C:\Users\Admin\AppData\Local\Temp\054202da3c3b3983abca54163c8ac3f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\is-VDHUR.tmp\is-H3PNL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VDHUR.tmp\is-H3PNL.tmp" /SL4 $70120 "C:\Users\Admin\AppData\Local\Temp\054202da3c3b3983abca54163c8ac3f4.exe" 970239 74240
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-22MVK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VDHUR.tmp\is-H3PNL.tmp

Filesize
669KB

MD5
00534d1694b8a789ae47605dee3aedd8

SHA1
a55578f44fd5aab65607c69bf119504c4597287e

SHA256
8f9f96df0d47b62f93cb6ee8888489ddcd8919e8dbf035cd0bf97dcd6d799c91

SHA512
31051d64ff422acfd7529d58ae3b343c92cc6fba08b1aa9c54eff5fc4a2998790472b23ac2da9944992fc61083ad611de26933600e5eb3ea11839f57df945b78

Download Submit
memory/2028-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download