053ed941193c2703ab1378133535b807883bc4cbf308a6f8ac0bc8cbcb81c4c1

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 20:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f72b1a55b2cd83c26e0cc9ccdf81a523.exe
Size

1.0MB
MD5

f72b1a55b2cd83c26e0cc9ccdf81a523
SHA1

243aa5ac8b08161c1224434950ae80487c342807
SHA256

053ed941193c2703ab1378133535b807883bc4cbf308a6f8ac0bc8cbcb81c4c1
SHA512

dfa2d8369618feb173a36e415cf4d840dc9cbdfbbefc0a3dc734d08cfa7e0c868b46e51e645fe7af312a927f87643102423ea85dd05a554fa14b35d0558dee55
SSDEEP

24576:wxGaza9+U5BrhXWmg7/XLYgPcXgAqoHX/GaB8:Vaa9+U9Wma/bTcXgAxPGaW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Loads dropped DLL 4 IoCs

pid	Process
1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2132	f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28
PID 1304 wrote to memory of 2132	1304	f72b1a55b2cd83c26e0cc9ccdf81a523.exe	28

C:\Users\Admin\AppData\Local\Temp\f72b1a55b2cd83c26e0cc9ccdf81a523.exe
"C:\Users\Admin\AppData\Local\Temp\f72b1a55b2cd83c26e0cc9ccdf81a523.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\is-SJNAI.tmp\f72b1a55b2cd83c26e0cc9ccdf81a523.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SJNAI.tmp\f72b1a55b2cd83c26e0cc9ccdf81a523.tmp" /SL5="$40016,541192,313856,C:\Users\Admin\AppData\Local\Temp\f72b1a55b2cd83c26e0cc9ccdf81a523.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SJNAI.tmp\f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Filesize
342KB

MD5
25ba80bce454eca46069cd1b7597c7d3

SHA1
46e318db3bb6dedddf370eafc62031cac31a7806

SHA256
03713c4b5e65bb62fd0091e7fea19265dc2ec3095bfa9f5ff582b5f06d35e6c5

SHA512
5f1ba7ef469f2aba4ac171b04f3d5ff0154cae81bf0ba3ba50b799200a27ba0b75ca66534f1d3533ef91c7e6f9b80584e2582f46081340ec47f4dd694df22360

Download Submit
\Users\Admin\AppData\Local\Temp\is-PO12T.tmp\InstallerExtensions.dll

Filesize
111KB

MD5
c3ae0b38b553d66fc155c72f31d9b75d

SHA1
13dac24704d606568008cda0ac9fb3e3954b3d60

SHA256
b71bdc3516244f622d5ab31c14a47f8f270ab9ef509321f140487e973368814e

SHA512
29b8258d979607a039513e81c27fe5ce4b9f97498212f4d14879640b2a1145664d1ee642dba346316b1de175f3f0f1e050792b23676b13bebfb956f2dc52b2c4

Download Submit
\Users\Admin\AppData\Local\Temp\is-PO12T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SJNAI.tmp\f72b1a55b2cd83c26e0cc9ccdf81a523.tmp

Filesize
260KB

MD5
f116aacc568c161437e56a0cd34b50bf

SHA1
2fe43a4ada7778f77e0ae1e37c7d7b8bc64d501d

SHA256
00a55bf42a4c214023d46097a80831538d76cd8defd74ae900ef75a1e3a54201

SHA512
4e7f784bab054feed6c6bc255d300312e32c1ba39c333f341aa2bae9dadf6b720c51b8b68b1766e5f19cebcb90d7505c964cc01d958d4a11dfb922e76d1299cd

Download Submit
memory/1304-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1304-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1304-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2132-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2132-32-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2132-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download