d191a60e58e89e199351111fdbd89feec63c030b753405afe4d3109b10289ea0

Analysis

max time kernel
42s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b6d50760d0038b91bd4293525161a6.exe
Size

1.5MB
MD5

21b6d50760d0038b91bd4293525161a6
SHA1

f93e9f7ff36f81218d8923fd28452a0be48e65df
SHA256

d191a60e58e89e199351111fdbd89feec63c030b753405afe4d3109b10289ea0
SHA512

3e838f95240d6ec5a5a3dfbe91052d7411e73735ed27bd32677eec56a7c1ae208c96f09a331d7b2cec57d6c526fa5539e6149a7c2cae43ee631c01503ea14f16
SSDEEP

24576:4CRVwKCANSrOK44zrvaUNka0hT34hq6f7O0dAwMSaQZlo9P1G8SW+evxtg6y:hSOxwrCvT34Xf7/Nlo91G8SpWtgR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2052	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1136	2432	WerFault.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18
PID 2196 wrote to memory of 2052	2196	21b6d50760d0038b91bd4293525161a6.exe	18

C:\Users\Admin\AppData\Local\Temp\21b6d50760d0038b91bd4293525161a6.exe
"C:\Users\Admin\AppData\Local\Temp\21b6d50760d0038b91bd4293525161a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" .\N_ifi.DRz -u -s
  2⤵
  - Loads dropped DLL
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\f77624c.exe
    "C:\Users\Admin\AppData\Local\Temp\f77624c.exe"
    3⤵
    PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 596
1⤵
- Program crash
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\N_ifi.DRz

Filesize
92KB

MD5
a8b12f1eec6c62475f35c92faf24616e

SHA1
f274f28ce0895087c0348f76991452b22aca78e3

SHA256
2d56fd8589a94833611e6918ffbfeaccf66bee909e2a6d6397150e01a0b461a9

SHA512
4c5d54da1fa5ca6182c67b2bb30f3e13ca293c4d26f54a493f8c27a24ebf7412682ed2185481a46a7aefe5d03f487a53b44a95ea29fd8e68fdbb0f2b5c3151a9

Download Submit
memory/2052-16-0x00000000036A0000-0x0000000004E06000-memory.dmp

Filesize
23.4MB

Download
memory/2052-17-0x0000000004E10000-0x0000000004EA3000-memory.dmp

Filesize
588KB

Download
memory/2052-5-0x00000000033A0000-0x0000000003488000-memory.dmp

Filesize
928KB

Download
memory/2052-7-0x0000000003550000-0x00000000035FD000-memory.dmp

Filesize
692KB

Download
memory/2052-11-0x0000000003600000-0x000000000369A000-memory.dmp

Filesize
616KB

Download
memory/2052-8-0x0000000003600000-0x000000000369A000-memory.dmp

Filesize
616KB

Download
memory/2052-12-0x0000000002280000-0x00000000024A6000-memory.dmp

Filesize
2.1MB

Download
memory/2052-15-0x0000000003600000-0x000000000369A000-memory.dmp

Filesize
616KB

Download
memory/2052-4-0x0000000002280000-0x00000000024A6000-memory.dmp

Filesize
2.1MB

Download
memory/2052-6-0x0000000003490000-0x0000000003543000-memory.dmp

Filesize
716KB

Download
memory/2052-21-0x0000000004EB0000-0x0000000004F3D000-memory.dmp

Filesize
564KB

Download
memory/2052-18-0x0000000004EB0000-0x0000000004F3D000-memory.dmp

Filesize
564KB

Download
memory/2052-23-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2052-22-0x0000000000050000-0x0000000000054000-memory.dmp

Filesize
16KB

Download
memory/2052-24-0x0000000003490000-0x0000000003543000-memory.dmp

Filesize
716KB

Download
memory/2432-47-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/2432-48-0x0000000071C90000-0x000000007237E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-54-0x0000000071C90000-0x000000007237E000-memory.dmp

Filesize
6.9MB

Download