15e7bbb40e232b0ef7dfddd396dc76fbca3392b3f8425b29bb9e4f2e71d80399

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34692030cc60c66ddbf0fc07453cf957.exe
Size

2.2MB
MD5

34692030cc60c66ddbf0fc07453cf957
SHA1

42da08eb98d389567576658570f158ba91e72b6e
SHA256

15e7bbb40e232b0ef7dfddd396dc76fbca3392b3f8425b29bb9e4f2e71d80399
SHA512

64bbacc2da2c316f75b6aa35ca7b69b40c66e3a697cd1aea676bb48e913e67a9187057beb9a1aeca3520fd79aa94558b919d890face145995cc405a442eb7a0c
SSDEEP

49152:mVZGK3uCyrppFvdHBteJIigkLdqZK7j6eKebA5rOYiZnj:ZKVyrpndHBwJIig27jXKebSivZnj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4088	34692030cc60c66ddbf0fc07453cf957.tmp

Loads dropped DLL 2 IoCs

pid	Process
4088	34692030cc60c66ddbf0fc07453cf957.tmp
4088	34692030cc60c66ddbf0fc07453cf957.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4088	34692030cc60c66ddbf0fc07453cf957.tmp
4088	34692030cc60c66ddbf0fc07453cf957.tmp
4088	34692030cc60c66ddbf0fc07453cf957.tmp
4088	34692030cc60c66ddbf0fc07453cf957.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4088	1552	34692030cc60c66ddbf0fc07453cf957.exe	90
PID 1552 wrote to memory of 4088	1552	34692030cc60c66ddbf0fc07453cf957.exe	90
PID 1552 wrote to memory of 4088	1552	34692030cc60c66ddbf0fc07453cf957.exe	90

C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe
"C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\is-0K6PJ.tmp\34692030cc60c66ddbf0fc07453cf957.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0K6PJ.tmp\34692030cc60c66ddbf0fc07453cf957.tmp" /SL5="$70184,1666468,70144,C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0K6PJ.tmp\34692030cc60c66ddbf0fc07453cf957.tmp

Filesize
271KB

MD5
59d51c31f3ab8a786349b5213ca80574

SHA1
21c9514981bbe8e9169d456d42176ae3a2d4f6b0

SHA256
438bc6d6b4473ef3b0b23e70c64a8233ea82568148848675555d92615d4d9c80

SHA512
7e32f7b42b1ae7414b4fbe17c88909baaaed0a55adbe020491547af281f012618ca768908fb3590fffcc7000d37249a368931b9376ef79aacbbe47c771345778

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K6PJ.tmp\34692030cc60c66ddbf0fc07453cf957.tmp

Filesize
226KB

MD5
497b522bb7b425ed040c0191cfa6be0a

SHA1
13f73d3b3f6ff481557272291b4bf02defa0b846

SHA256
39fbc83702202829a950d2df3f14e07c3c9450343e2144f3cffdc75d352ddeba

SHA512
ea2ee733223089929d58a66033f25dab75ac7cf75aaaabc5d4ce7ad3a98149458a9a0ce432b1f4df6cc17506e85799d2d16a895f979e1fa9ea0e2a51a18a8f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SNJAH.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SNJAH.tmp\setupcfg.ini

Filesize
44B

MD5
d4b9c1534fbfdcf87a7eccac17f3d792

SHA1
09d80183e68472959274eb92f141b27efe60e7e3

SHA256
f7bf7ea6b6a4f994c815915a493424f2999a7c2c7a497d3c6c4133be5258f8e6

SHA512
2a1b814d38ae2b98d4960231a39c3d65323617ccbe9aada6aeb796813c16a1510f5dfec572e7520444843dcc40d0db6f000d3740ea5be51aa7b437fc2ee96b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SNJAH.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/1552-112-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4088-20-0x0000000003C50000-0x0000000003C87000-memory.dmp

Filesize
220KB

Download
memory/4088-7-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4088-113-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4088-114-0x0000000003C50000-0x0000000003C87000-memory.dmp

Filesize
220KB

Download
memory/4088-118-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download