6b22b4cec6cfda9510dbbf9bb61cc9fd06721cfe6513720a207796437d89037b

Analysis

max time kernel
177s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4674ca50d6dd0cfacb22f5a6e85d27.exe
Size

175KB
MD5

5a4674ca50d6dd0cfacb22f5a6e85d27
SHA1

3fafde8407b173438dc2ba0922d84a3e091a74ca
SHA256

6b22b4cec6cfda9510dbbf9bb61cc9fd06721cfe6513720a207796437d89037b
SHA512

98f5cb59048dc66a0036c71f9cb43ebf19ac8c0740c768f6d887814eec7c3a3abee6f6b0d72e27f694930d3e4e87d784dc6668fdc3252957dbaef96b108c459c
SSDEEP

3072:xd9xR3G2BZMbBLBaYw0coLujNHAmFGt7V3fblxD0cAj8oHLE9LMoe:xd93ZBZMbqYgomHAm0VDPoQ9Lu

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr32.exe	inf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr32.exe	inf.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	inf.exe
2908	smgr32.exe

Loads dropped DLL 12 IoCs

pid	Process
2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe
2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe
2856	inf.exe
2856	inf.exe
2856	inf.exe
2856	inf.exe
2856	inf.exe
2856	inf.exe
2908	smgr32.exe
2908	smgr32.exe
2908	smgr32.exe
2908	smgr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zlib4.dll	inf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2220 wrote to memory of 2856	2220	5a4674ca50d6dd0cfacb22f5a6e85d27.exe	27
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28
PID 2856 wrote to memory of 2908	2856	inf.exe	28

C:\Users\Admin\AppData\Local\Temp\5a4674ca50d6dd0cfacb22f5a6e85d27.exe
"C:\Users\Admin\AppData\Local\Temp\5a4674ca50d6dd0cfacb22f5a6e85d27.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe

Filesize
13KB

MD5
f6c289eb7cdf8ff074724a19e8f94fee

SHA1
460dd321fd072a82a04e75064025ad1f54c8ede5

SHA256
348f26271279b12437c961d72f48485e0413f6e3a352c26076bc42948d0c0950

SHA512
a3c5f1a9d3078a204111ba493947e54464232c16e5b6d2d2842c4928b1f2bf975b5de4fa707f4ee793ad5c74a7de76fcc211990e4111317170734058850feb47

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS\zlib4.dll

Filesize
151KB

MD5
c1f677b95e7570e90349659b7055cadd

SHA1
b5b0e90b9d78c4ef46d72d23ed38a2df3bdab42e

SHA256
ffd690724d11bd5f4cb2703d9b4198cdf1aa3c29a9de345bef4069a8a64814db

SHA512
7690431c1fce8512e531f8d414b1bfd5f4c4d4cf82ecd83ce46432ea04f97e578e3987995552455318ca7d4bebc4231639289abe9aba733fe51b9735ef6af65c

Download Submit
memory/2220-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-15-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2856-37-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2856-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2908-30-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2908-39-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2908-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2908-45-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2908-51-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2908-59-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download