8565f2c55376e31de593d227142b512a9ecb57cb68420c2acdb73218b9216b02

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca87e3f2d9a7a9477620ad485ceab81.exe
Size

1.1MB
MD5

4ca87e3f2d9a7a9477620ad485ceab81
SHA1

4472586b6132a2dbfc060613cd4d86e00ba44feb
SHA256

8565f2c55376e31de593d227142b512a9ecb57cb68420c2acdb73218b9216b02
SHA512

b703e57307052b7b02ee4b1351e3e26d81ab1970d3c3d980aaccf0b3e5328ddabd6114464d46cc3f9a0088f566faa9739ce8a31161be3ff82e856dafff36cf6a
SSDEEP

24576:wFqgqRTJwr3rVrthcIF4gN8BoYU/qPYWSACly:A/vzhcI96tPYWcU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1540	DomaIQ10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	DomaIQ10.exe
1540	DomaIQ10.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1540	1716	4ca87e3f2d9a7a9477620ad485ceab81.exe	58
PID 1716 wrote to memory of 1540	1716	4ca87e3f2d9a7a9477620ad485ceab81.exe	58

C:\Users\Admin\AppData\Local\Temp\4ca87e3f2d9a7a9477620ad485ceab81.exe
"C:\Users\Admin\AppData\Local\Temp\4ca87e3f2d9a7a9477620ad485ceab81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\DIQ\openoffice_027\DomaIQ10.exe
  C:\Users\Admin\AppData\Local\Temp\DIQ\openoffice_027\DomaIQ10.exe /path="C:\Users\Admin\AppData\Local\Temp\4ca87e3f2d9a7a9477620ad485ceab81.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIQ\openoffice_027\DomaIQ10.exe

Filesize
92KB

MD5
251212afbcb2a200759ab792209db922

SHA1
9a9548fd2f5e7e0bd93c64b72e1e0af62c405662

SHA256
001c366c93730fa2e18828726d98f7833a2854e6ec04af89a9e370cbed6097e4

SHA512
2e815406c07c25361411b17d115d8b3616926bf9f1cdb375e18b7b6d0ace339233604f9be4b4f1fe3a7061ef7917c63694edc1b17153fb740ee4149c3f2ef10c

Download Submit
memory/1540-15-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/1540-16-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-11-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/1540-14-0x000000001B8E0000-0x000000001B97C000-memory.dmp

Filesize
624KB

Download
memory/1540-13-0x000000001BC10000-0x000000001C0DE000-memory.dmp

Filesize
4.8MB

Download
memory/1540-9-0x00007FFB392B0000-0x00007FFB39C51000-memory.dmp

Filesize
9.6MB

Download
memory/1540-10-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-12-0x00007FFB392B0000-0x00007FFB39C51000-memory.dmp

Filesize
9.6MB

Download
memory/1540-18-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-17-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-19-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-20-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1540-21-0x00000000202A0000-0x0000000020302000-memory.dmp

Filesize
392KB

Download
memory/1540-26-0x00007FFB392B0000-0x00007FFB39C51000-memory.dmp

Filesize
9.6MB

Download