2dbaf66d935c7db554a2ed7db9e405c5a0462b9106e463c042974e88a18e2882

Analysis

max time kernel
142s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hddregenerator.exe
Size

15.1MB
MD5

42b85064a5d103d082d930e968f2eee8
SHA1

b6d4f99c87cf87e35c2f5bc63ebdbb345a629114
SHA256

621eaecdc7727ba4b115c233b1d5857667925b0f3aec886362c551d597d90fad
SHA512

d167c76a0c5d3a0de2aeb81b6d19818413f1226d7d0949f8777101d3b428a4abc3b43d7751d189b498d05867ab0c3b9098ff36ff4c95b31b0cf5dccb22794e8e
SSDEEP

196608:ETsZNt15FmYyiEDGRLNgS1Szld5HgO95cmpkmVIXGu6CZDAVcqWmXufyahPyah2J:B1f2DGRyVsmpOWu6XFTXQFPF2BgByYY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2336	hddregenerator.tmp

Loads dropped DLL 4 IoCs

pid	Process
2352	hddregenerator.exe
2336	hddregenerator.tmp
2336	hddregenerator.tmp
2336	hddregenerator.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	hddregenerator.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28
PID 2352 wrote to memory of 2336	2352	hddregenerator.exe	28

C:\Users\Admin\AppData\Local\Temp\hddregenerator.exe
"C:\Users\Admin\AppData\Local\Temp\hddregenerator.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\is-7IPA4.tmp\hddregenerator.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7IPA4.tmp\hddregenerator.tmp" /SL5="$400F4,15171470,146432,C:\Users\Admin\AppData\Local\Temp\hddregenerator.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QDTFR.tmp\top_full.jpg

Filesize
3KB

MD5
18a83a36c6873cdafa1e4f0041a3e617

SHA1
85bafe8c826dbe8e8e2d044fcefdca2dadf91c57

SHA256
c5d0c4414374e0bef5d32e17181ca71e6320f242d5ccd0c7db239c49ce532863

SHA512
2b4010de50447e4b287473cc28d0d5cb37c09f2ab556c6f9fe5c878ac3b918661e65a262c0d60a8c557050485796369c78b945fa49f83cba4c7cc647a343be91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QDTFR.tmp\wizard_full_is.jpg

Filesize
14KB

MD5
fefe4dfb35373ddafb14403ad7c34cb8

SHA1
726d177717d90ced9b566675bb96fe1267233fb4

SHA256
7a217f75082afd27d9bcf432c2afb6a1bdef6bbf8f1f940c82b9794e029bfcb5

SHA512
108a173234572fc3e4a165d39c3daeffa4ecc5c6c15c7e77175d543028ec4d49c225933424803b26c55d9744c463e77497f6bb15b6fa9064645d4f03a6595f0e

Download Submit
\Users\Admin\AppData\Local\Temp\is-7IPA4.tmp\hddregenerator.tmp

Filesize
1.2MB

MD5
7726fc283928f5aaa783e9077f591b67

SHA1
de74c0a59ce80cab30df874a7502430506897ad3

SHA256
403a935a15f667dc92f58344eba28a66f2fec8d83c30fcf5908ef618c767ce18

SHA512
4dc7321590c0f56c580210513b883d46c922c8283fd4990576d0f44681c30021de99a55ad89f90b8989a8dbc883db13de3948ee231136d233c01a7b623c828a3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QDTFR.tmp\_isetup\_isdecmp.dll

Filesize
23KB

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-QDTFR.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-QDTFR.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/2336-22-0x0000000000B50000-0x0000000000B5F000-memory.dmp

Filesize
60KB

Download
memory/2336-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2336-43-0x0000000000B50000-0x0000000000B5F000-memory.dmp

Filesize
60KB

Download
memory/2336-47-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2352-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2352-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download