9c2fbfc56ba58bd8183c7faf232735111c58ce9bc24d27361b20b654ff2585c6

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04c5e77e4344308cc31c04544d077df7.exe
Size

1.1MB
MD5

04c5e77e4344308cc31c04544d077df7
SHA1

0242419aab4997d6352314f428fe7958d0c38bd8
SHA256

9c2fbfc56ba58bd8183c7faf232735111c58ce9bc24d27361b20b654ff2585c6
SHA512

b163fa49d6e44a700f0aea0aba02b559cd9a04551b00c9659dd8de84ee6ceed84a504cb6eb0baf2fd9d969e5a58e60b8f470768e1f792d66371fd84f775a54cb
SSDEEP

24576:wpni/qrnwYrhdJE5PImcMTkNqHOh/E+cPFuxeKlpxbIfNQVRsa3kY2+mO8m:OijuH65Pl1TM7h/4NujPbOGf13O+mOJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1876	is-J9DVO.tmp

Loads dropped DLL 3 IoCs

pid	Process
1952	04c5e77e4344308cc31c04544d077df7.exe
1876	is-J9DVO.tmp
1876	is-J9DVO.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1876	is-J9DVO.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17
PID 1952 wrote to memory of 1876	1952	04c5e77e4344308cc31c04544d077df7.exe	17

C:\Users\Admin\AppData\Local\Temp\04c5e77e4344308cc31c04544d077df7.exe
"C:\Users\Admin\AppData\Local\Temp\04c5e77e4344308cc31c04544d077df7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\is-HI52S.tmp\is-J9DVO.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HI52S.tmp\is-J9DVO.tmp" /SL4 $5014C "C:\Users\Admin\AppData\Local\Temp\04c5e77e4344308cc31c04544d077df7.exe" 947643 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HI52S.tmp\is-J9DVO.tmp

Filesize
94KB

MD5
7fc470ec7542c2248f79094a8a27a1af

SHA1
a262ec2f048023bd8970f093936d8715060c8aae

SHA256
0d433182a9f5d36eca2b125cf8d452dc59725e7c23d34559731ffa8fa9227546

SHA512
4251ded1e23da5e850280d0d5de6d589d3cb13ceee7991b4c24ed9b33784d7f1c0ad0767742068abfd560cb21bb0848fef23e6030736b19dd94ad1a66131adaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI52S.tmp\is-J9DVO.tmp

Filesize
115KB

MD5
7302dd84f07c7f769ffc524b9a0cb8e0

SHA1
9f289830c7bb4a5cf0a0648a0b7c3455a03cfd24

SHA256
3b78efabf73901a76c403acb05b635383bb8eb3bfb26dabb5404b6bf424779cc

SHA512
9009ccbaa935473a20b8b810120df4ef2c1c358f603b16fcee62dd62242344cf64b642cee2d7d16a4a4670dc185dee7e2d20a8717e063de4996200a8058d98eb

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OD6L.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HI52S.tmp\is-J9DVO.tmp

Filesize
242KB

MD5
f7939e3231d40ca2c15907bf4d283cce

SHA1
2127087e027c9ffafcf561721e1629b74fa1b025

SHA256
ef7298045aff4f81b6b1f07d9fe062331a30534e9fb7eac0d82a2c11fe6475ea

SHA512
3ee43f3c2b0a26c600fb43446d9c64dac88a0350692ebb77804edf57f4e4ab7eb6023654a0a4c5e690d0eb3c88157239f5e5ec664000a8c81968e776ad957659

Download Submit
memory/1876-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1952-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1952-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download