1228d4667a76c7d1f61911aaedc616a2751d3f307f363a0189b1c2a4f7df7ef8

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b45f2d70be1b73ccb6d1bd1f98e838.exe
Size

74KB
MD5

19b45f2d70be1b73ccb6d1bd1f98e838
SHA1

cd8836ef780a4386889faf10fac54e519c8ad14f
SHA256

1228d4667a76c7d1f61911aaedc616a2751d3f307f363a0189b1c2a4f7df7ef8
SHA512

66a8727217945dcce5f63c2f098f3f0b0485972bc8b419103bceaa572a4a1c3b8cafcd118fd652e934fa417b1ccb686781134f51203f229d39350f17d6ca6ab9
SSDEEP

1536:poLDYsacy7mHMowHjXJ85O42n+Hih77RFxg9cLLudUdUW+oEphihe:poPyys5jXJ85R2n+CJTLLBdUWeee

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe
2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	19b45f2d70be1b73ccb6d1bd1f98e838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2692	2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe	29
PID 2484 wrote to memory of 2692	2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe	29
PID 2484 wrote to memory of 2692	2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe	29
PID 2484 wrote to memory of 2692	2484	19b45f2d70be1b73ccb6d1bd1f98e838.exe	29

C:\Users\Admin\AppData\Local\Temp\19b45f2d70be1b73ccb6d1bd1f98e838.exe
"C:\Users\Admin\AppData\Local\Temp\19b45f2d70be1b73ccb6d1bd1f98e838.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\Temp\O1WzUddfLueePOTfRO39jOpWhDgHb1WzUddfLueePOTfRO39jOpWhDgHb\310714_is.jse
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy4378.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4378.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4378.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4378.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit