f5890175360c916fac3735fb0229ec7e2439035d7474c152a1d1bdb411c15d43

Analysis

max time kernel
222s
max time network
161s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00816e23f9a2904be9d0202990578153.exe
Size

3.2MB
MD5

00816e23f9a2904be9d0202990578153
SHA1

0828e9f1217cee30fbed784d84f6dc224880dd4f
SHA256

f5890175360c916fac3735fb0229ec7e2439035d7474c152a1d1bdb411c15d43
SHA512

ae8cf10912c441ad6aec045d686a754a743a46e83a1af52e4fe4abe154b1fa77b25b5ec1e4a0f1edec4be2124170ba3ff243a0aca6f982b21a738fd3707ec3de
SSDEEP

98304:5Nh8FgcwPc7S87F+tss8cD/Hiu6DUM+cfVcx883PC:KFgcwt878tN57xiURcfVY88PC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1472	is-DC232.tmp

Loads dropped DLL 3 IoCs

pid	Process
664	00816e23f9a2904be9d0202990578153.exe
1472	is-DC232.tmp
1472	is-DC232.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1472	is-DC232.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27
PID 664 wrote to memory of 1472	664	00816e23f9a2904be9d0202990578153.exe	27

C:\Users\Admin\AppData\Local\Temp\00816e23f9a2904be9d0202990578153.exe
"C:\Users\Admin\AppData\Local\Temp\00816e23f9a2904be9d0202990578153.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\AppData\Local\Temp\is-5H29K.tmp\is-DC232.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5H29K.tmp\is-DC232.tmp" /SL4 $50160 "C:\Users\Admin\AppData\Local\Temp\00816e23f9a2904be9d0202990578153.exe" 3087718 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-5H29K.tmp\is-DC232.tmp

Filesize
659KB

MD5
845c81c806359bff78cfdb00c9d96e34

SHA1
0c7c77ba989c8b391c557eb0e482e553dc21ae86

SHA256
6f2df2220fd8e3af982d99e017a7b2412d62319c8d257bfcd0947d40a0696030

SHA512
8c8ae35999a78f684853cd23921da0ed38ffbd4290051ebfcf070a57911e40d2fd38ecd457d4fc84c775430a6963bba6c98a7087186017e13e23bb1e3db89a7d

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNSIE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/664-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/664-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/664-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1472-10-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1472-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1472-21-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1472-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download