2f85e12896f20deaf663c4b5db3ccb97bc373a17e3b1bb5ab2350fbfe27010bc

Analysis

max time kernel
147s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54d75605c5784e818d572ca498c2a454.exe
Size

552KB
MD5

54d75605c5784e818d572ca498c2a454
SHA1

6f63a27aab3388a30eeee48453d9043661ebabe1
SHA256

2f85e12896f20deaf663c4b5db3ccb97bc373a17e3b1bb5ab2350fbfe27010bc
SHA512

dfc0b1af1014783bf8a197cc1b3ef1b7879a2cbcf70cc352e2a3401572f930d8403d1d6c51f89f92ee3b05e23516a585b284fc6f804e64e70af679c8167558aa
SSDEEP

12288:cvRiKlG0WPk/5hJFKZ9P1REWdxyBWYqxoV9Y7f5M5wFXTbr+l6k/xD:vKI+NFKZ9rEWdxyBexo7uFj6T/t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	is-QDIVK.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2928	4032	54d75605c5784e818d572ca498c2a454.exe	24
PID 4032 wrote to memory of 2928	4032	54d75605c5784e818d572ca498c2a454.exe	24
PID 4032 wrote to memory of 2928	4032	54d75605c5784e818d572ca498c2a454.exe	24

C:\Users\Admin\AppData\Local\Temp\54d75605c5784e818d572ca498c2a454.exe
"C:\Users\Admin\AppData\Local\Temp\54d75605c5784e818d572ca498c2a454.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\is-HGQ79.tmp\is-QDIVK.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HGQ79.tmp\is-QDIVK.tmp" /SL4 $30238 C:\Users\Admin\AppData\Local\Temp\54d75605c5784e818d572ca498c2a454.exe 353833 50688
  2⤵
  - Executes dropped EXE
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HGQ79.tmp\is-QDIVK.tmp

Filesize
575KB

MD5
f6486d55e4e322ab482ba81b3a40e0e9

SHA1
56e8492941956a91eeef77e966c9dafe024d75e5

SHA256
70a1954f0ebcf350acb7ecdce16bcddf3d3ade2b64d896bfb30195211435c3fb

SHA512
da78968044f1e15824a71483ebcbc49458ada917b6fa54aefeb4163023c85e0bc22d464a115c2cc8c3bf6adbb81dcdb6a8dd2b9d30782d684b90fc22536c6092

Download Submit
memory/2928-7-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2928-11-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2928-14-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4032-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4032-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download