2222eebc4dc2a0996e63e22211a79ea21c10d0cd0a8a83c503493093953601dd

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638e3474f5f1702ee00f2197554e5942.exe
Size

179KB
MD5

638e3474f5f1702ee00f2197554e5942
SHA1

61413ec9a5dfb74869d6463acc7f08272f16ef92
SHA256

2222eebc4dc2a0996e63e22211a79ea21c10d0cd0a8a83c503493093953601dd
SHA512

49de2ab1343a391dcfbbb4b085b7e4dcac2984f8d69d00d55129711e0d32b2326bd51031b35b441a4158c61a95facab5672957fc77f33a03e9195f5dedcdb906
SSDEEP

3072:CnOn7t7XpdpCCTg/sxFgJ2CL1zoIc25sWu6Tai5Qjn9D8ZCD0cPojek5AVQaH:CKpdcCrTCxo78sWyLn9hhPoSeAVJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	narf.exe

Loads dropped DLL 2 IoCs

pid	Process
2620	638e3474f5f1702ee00f2197554e5942.exe
2620	638e3474f5f1702ee00f2197554e5942.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	narf.exe
2688	narf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2688	2620	638e3474f5f1702ee00f2197554e5942.exe	28
PID 2620 wrote to memory of 2688	2620	638e3474f5f1702ee00f2197554e5942.exe	28
PID 2620 wrote to memory of 2688	2620	638e3474f5f1702ee00f2197554e5942.exe	28
PID 2620 wrote to memory of 2688	2620	638e3474f5f1702ee00f2197554e5942.exe	28

C:\Users\Admin\AppData\Local\Temp\638e3474f5f1702ee00f2197554e5942.exe
"C:\Users\Admin\AppData\Local\Temp\638e3474f5f1702ee00f2197554e5942.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\nso7AFC.tmp\narf.exe
  C:\Users\Admin\AppData\Local\Temp\nso7AFC.tmp\narf.exe /dT201303241130 /u4fd99101-fa18-4898-bfd9-098a5bc06f2f /e5806839
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso7AFC.tmp\VPatch.dll

Filesize
10KB

MD5
20ee82203544c4f831a7dc1650e7ec51

SHA1
671affb8e32f06777483782197173af254e02548

SHA256
69a00c14562ea5a71f6196b307292fa6d8b1a2fc02368020f40c84b3b0a1a83a

SHA512
4dabcc0cfebb36cfe57fa05777224f45c04c84031cfecf4184bd95d2b148ce18a6c91655320e69c1709e740a261e1e25effc8395fed91d0fc61b18f9a9f7685f

Download Submit
\Users\Admin\AppData\Local\Temp\nso7AFC.tmp\narf.exe

Filesize
257KB

MD5
d8bc7d4e8e9e41ab014f94a73425ae00

SHA1
0693d36a387291f14add52f329f69c363588bd80

SHA256
009618da4d2c777214a453dfec97c8f23ad9245e92d05ba25a899d1eaf6d3af9

SHA512
2751070f777a0949388df5e4aa232af520fb43936d1c188cc5cfb6c56a0d0073ace9c8d568d0586badc888493c6a1c5c452c244398a2e6bf3b8e3dc0836e76c6

Download Submit
memory/2620-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-15-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-16-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-17-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2688-18-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2688-19-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2688-20-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2688-21-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download