3f8ce47bb23364206689b3e6efd225f285b8ad285345d489a04120da971bec91

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354896c6546c517a45b367f4f6da6770.exe
Size

142KB
MD5

354896c6546c517a45b367f4f6da6770
SHA1

9b44155b4a0030a91b714112021221a235dfc18e
SHA256

3f8ce47bb23364206689b3e6efd225f285b8ad285345d489a04120da971bec91
SHA512

e4745f0202bdafe5f170ee3022a16cb9d5100c462daa948b5062bcca881032c0d1bb3c5e415c775583847f56bc341a63f7d70be00867a17da206482ae3917982
SSDEEP

3072:qnOn7t7XpdpCCTg/sxFgJ6eqgKJ+BCNC55t2O62ULvMlfMVgdr:qKpdcCrTdgKsnIOfUzMdr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	downloadmr.exe

Loads dropped DLL 4 IoCs

pid	Process
2964	354896c6546c517a45b367f4f6da6770.exe
2964	354896c6546c517a45b367f4f6da6770.exe
2964	354896c6546c517a45b367f4f6da6770.exe
2964	354896c6546c517a45b367f4f6da6770.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	downloadmr.exe
2068	downloadmr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2068	2964	354896c6546c517a45b367f4f6da6770.exe	28
PID 2964 wrote to memory of 2068	2964	354896c6546c517a45b367f4f6da6770.exe	28
PID 2964 wrote to memory of 2068	2964	354896c6546c517a45b367f4f6da6770.exe	28
PID 2964 wrote to memory of 2068	2964	354896c6546c517a45b367f4f6da6770.exe	28

C:\Users\Admin\AppData\Local\Temp\354896c6546c517a45b367f4f6da6770.exe
"C:\Users\Admin\AppData\Local\Temp\354896c6546c517a45b367f4f6da6770.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\downloadmr.exe /u4eb938a8-a5fc-4ba8-948b-2dad5bc06f2f /e2094898
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\downloadmr.exe

Filesize
92KB

MD5
5188b8a7670c194462b47e8761b95e64

SHA1
55ff1535930d710fbfdae9032c905c0745390458

SHA256
6d4f80472de88648a803108beeaae770af072e5cfcdbf601db388732bfadd8f2

SHA512
9e0255c3df96b9f320a2da7234ee3601182a425e72ddcee343b3ce21f2639b7363d5ddca2d9e7e1f2e9332273640ec74158a25915cd8cd8b39f98a036e4a37ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\downloadmr.exe

Filesize
93KB

MD5
e15f3eb88d4a7e446c03bd97e72f18ce

SHA1
35fd11df8e7403819897a8268c1d1b0cfa87f274

SHA256
6d4b7f2baf46df179a5b65f6579d787ba9f9fcffda0280f079bf9549c505f8c1

SHA512
e22c2b08a1dcabd433a2a544ebb9c91bf990a0f852b1ba2391ef2a04c062a264fcc1c18252e996dcb8fb79588caf27f307755a4502911c8d11f850427f268f86

Download Submit
\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\System.dll

Filesize
21KB

MD5
5ebc73650256e9c8ddbcda231db829a1

SHA1
988d4535e18754ab2a6248abae96c5697d7dbcd5

SHA256
1eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493

SHA512
b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270

Download Submit
\Users\Admin\AppData\Local\Temp\nsy19BA.tmp\downloadmr.exe

Filesize
109KB

MD5
a026ab1efe6767e9bf74692eb59eb499

SHA1
5956cbaa8561da8def3f185faad547e900eb8567

SHA256
4ee62fcb004a23658808251c7c655562b23c324c451ade37f2b8e572a5dcf42b

SHA512
7aed4a2e39963a483142bccc873bfc0e37cc1ce966d14540d846f17e5d3794ae9c1e3a3e2de6620e684d6a812eca073d9754830281a0cd64672463c355d74273

Download Submit
memory/2068-20-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2068-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2068-19-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2068-21-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2068-22-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2068-24-0x00000000066E0000-0x00000000067E0000-memory.dmp

Filesize
1024KB

Download
memory/2068-23-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2068-25-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2964-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download