21900323a0cead4c41b4af01f276bf6d3dd1d1749b98d7786963f238550a31dd

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f4850b100878d7bd4e325f2b7d4c42.exe
Size

2.3MB
MD5

14f4850b100878d7bd4e325f2b7d4c42
SHA1

7d7b4279dd6ccd9d2a86e103f3b4f48c9fe86e28
SHA256

21900323a0cead4c41b4af01f276bf6d3dd1d1749b98d7786963f238550a31dd
SHA512

629375be6d71bf0ad6e6a4898ac00224a96d40c9bd84c32d69d31ea8c70b26fb171b653843291dddce00fe2d9d0acf0bc5701be1fd58407a21303da26e72bd57
SSDEEP

49152:5p2Qu650JXrPcuhoNCnZ5nZCB9wVInebA5rOYiZnV:z2B650JrcumgI9nebSivZnV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp

Loads dropped DLL 4 IoCs

pid	Process
2004	14f4850b100878d7bd4e325f2b7d4c42.exe
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	14f4850b100878d7bd4e325f2b7d4c42.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17
PID 2004 wrote to memory of 2044	2004	14f4850b100878d7bd4e325f2b7d4c42.exe	17

C:\Users\Admin\AppData\Local\Temp\14f4850b100878d7bd4e325f2b7d4c42.exe
"C:\Users\Admin\AppData\Local\Temp\14f4850b100878d7bd4e325f2b7d4c42.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\is-0J9OC.tmp\14f4850b100878d7bd4e325f2b7d4c42.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0J9OC.tmp\14f4850b100878d7bd4e325f2b7d4c42.tmp" /SL5="$80126,1737087,70144,C:\Users\Admin\AppData\Local\Temp\14f4850b100878d7bd4e325f2b7d4c42.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0J9OC.tmp\14f4850b100878d7bd4e325f2b7d4c42.tmp

Filesize
898KB

MD5
296b90e0de23f0151473749c93e74783

SHA1
bc481dd4221c50bd01f8e988a34236d19afb43ae

SHA256
6ee7381908248dd54639340d4ce3edf34a07df95e26286ea8e17b0cb76bd56ee

SHA512
d725620c63d683d9dee363c907dd37e9d428a43ec9c2d73bea319135c735e063fb0d9aa34a1cc68d95b52c81a36b299a56cca799241cc791949a669a3c849c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0J9OC.tmp\14f4850b100878d7bd4e325f2b7d4c42.tmp

Filesize
381KB

MD5
4d5161ed14778685013afff00f19a44e

SHA1
7406bf672c0221f95ed49d7170e9308e923d3889

SHA256
bba4edd6a5c75c312d8fe1f0f87e32e1910ca1d51d60442ad08369cd321b2a71

SHA512
614d03fcc777a0fc86e6fdcb25b80839eb38514710b9fe77debbdde2bfceec218089e089eb4437db56a94b1eab28bb17b19ba422ea89a940d7782b29ba9e4273

Download Submit
\Users\Admin\AppData\Local\Temp\is-0J9OC.tmp\14f4850b100878d7bd4e325f2b7d4c42.tmp

Filesize
1.1MB

MD5
a6e4ba05b9d182ae0035eb05ff0656a6

SHA1
156d07e67962d903abb943a6a873c13d443997cb

SHA256
a54b3e79adf59249ea7cea822ea331affa2facc2adc3aa4c4ab3cbdc8a5354d2

SHA512
e4920440bfcb321ab3772143a57abe4f1fc61480a9e98a2f6fba804d6a8efea5a9e8c4e0eab779332da570b40c68f8436f99af33bcb254ff29f90b52e448e211

Download Submit
\Users\Admin\AppData\Local\Temp\is-5N4SC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2004-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2004-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2044-22-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

Filesize
220KB

Download
memory/2044-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2044-161-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

Filesize
220KB

Download
memory/2044-160-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2044-165-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download