21f3fa72314cf9f144b844b149e62d6584bb2afb407ed6c14806e00dbc091875

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11132efb5d5df46af48147c06360bcd4.exe
Size

445KB
MD5

11132efb5d5df46af48147c06360bcd4
SHA1

b542258ba19a13f56b9f1f87b478aa990dbf68cd
SHA256

21f3fa72314cf9f144b844b149e62d6584bb2afb407ed6c14806e00dbc091875
SHA512

bf2c927b1ad4dec9aead62a4068647672ada0cd879ef6c76f159c1c4daea0347650ddfbd5ee78eab63deaecdbfece1df53ea89ffe974159a862170b3cc7019fe
SSDEEP

12288:H/VF3cnvEy9uTk4FF1g38Hx1iCJXOyC1aNJjrlIpGPyK:H/z3c79uTk4rH1fiaNhRIpGPyK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4876	mf.exe
2788	ef.exe

Loads dropped DLL 12 IoCs

pid	Process
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe
2996	11132efb5d5df46af48147c06360bcd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4876	2996	11132efb5d5df46af48147c06360bcd4.exe	18
PID 2996 wrote to memory of 4876	2996	11132efb5d5df46af48147c06360bcd4.exe	18
PID 2996 wrote to memory of 4876	2996	11132efb5d5df46af48147c06360bcd4.exe	18
PID 2996 wrote to memory of 2788	2996	11132efb5d5df46af48147c06360bcd4.exe	21
PID 2996 wrote to memory of 2788	2996	11132efb5d5df46af48147c06360bcd4.exe	21
PID 2996 wrote to memory of 2788	2996	11132efb5d5df46af48147c06360bcd4.exe	21

C:\Users\Admin\AppData\Local\Temp\11132efb5d5df46af48147c06360bcd4.exe
"C:\Users\Admin\AppData\Local\Temp\11132efb5d5df46af48147c06360bcd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\mf.exe
  C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\mf.exe "C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\inetc.dll"
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\ef.exe
  C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\ef.exe "C:\Users\Admin\AppData\Local\Temp\nsr3E52.tmp\inetc.dll" -111
  2⤵
  - Executes dropped EXE
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2996-44-0x0000000003CC0000-0x0000000003CDA000-memory.dmp

Filesize
104KB

Download
memory/2996-36-0x0000000003BB0000-0x0000000003BBC000-memory.dmp

Filesize
48KB

Download