21693a7daaef84e516cca31d1947c1746135de0fbfb639da0d5e57b781926d8a

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e7fc4950ff9f771be58548e06dedaf.exe
Size

74KB
MD5

18e7fc4950ff9f771be58548e06dedaf
SHA1

bc4ed81dff3531690e3f3a2a62ce650e95c409f4
SHA256

21693a7daaef84e516cca31d1947c1746135de0fbfb639da0d5e57b781926d8a
SHA512

a5beae9cdab3dd938539af736e3ec37cd1bf3fb9e8d3e7e4396fe0170ce3204bb9900fe6e08dd6fb60ed4d75d1dd4213ff9c055dd3fd7a00bbc7c9410e6c32a2
SSDEEP

1536:5oLDYsacy7mHMowHjXJuF5sdiLZVgHrmyvgHiHzb7ZXdlihy:5oPyys5jXJuF5ZLZWHrmyvQy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe
2288	18e7fc4950ff9f771be58548e06dedaf.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	18e7fc4950ff9f771be58548e06dedaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2688	2288	18e7fc4950ff9f771be58548e06dedaf.exe	29
PID 2288 wrote to memory of 2688	2288	18e7fc4950ff9f771be58548e06dedaf.exe	29
PID 2288 wrote to memory of 2688	2288	18e7fc4950ff9f771be58548e06dedaf.exe	29
PID 2288 wrote to memory of 2688	2288	18e7fc4950ff9f771be58548e06dedaf.exe	29

C:\Users\Admin\AppData\Local\Temp\18e7fc4950ff9f771be58548e06dedaf.exe
"C:\Users\Admin\AppData\Local\Temp\18e7fc4950ff9f771be58548e06dedaf.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\Temp\O1g8x0hNmuP8rEYuJjIAq1g8x0hNmuP8rEYuJjIAq\310714_is.jse
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdB849.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB849.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB849.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB849.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit