18b31acd9d765b7f19207ab23fa296703768e31d32d7f1ae237e1c9310c7c65a

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SLT_WinLockPro432_fivebb.exe
Size

1.8MB
MD5

319188abf02fc8deb24d14fe41fe2638
SHA1

15382298ce3941c0c2e353a6b0c0c6191000ba5b
SHA256

80f2ff78715c12c54b0afdb0ece6eb937966d3ce2b0b04657074ab2aa0d32e19
SHA512

a2bb308a779cf0d448254058a5a77863327087fe89765e7640fe3179f41f966e715148bc79434a56dbb3bf516861966cac1393f0f311fc67fee1ea6dd32bcadc
SSDEEP

49152:B6dOtRjhJs3ZnRLXnu9kDPj4xFuhBCTwCH2OFg5md794zD:kdOPjwHju92Pj4xFn2wqmRC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3752	is-LBLMU.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3752	5040	SLT_WinLockPro432_fivebb.exe	23
PID 5040 wrote to memory of 3752	5040	SLT_WinLockPro432_fivebb.exe	23
PID 5040 wrote to memory of 3752	5040	SLT_WinLockPro432_fivebb.exe	23

C:\Users\Admin\AppData\Local\Temp\SLT_WinLockPro432_fivebb.exe
"C:\Users\Admin\AppData\Local\Temp\SLT_WinLockPro432_fivebb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\is-OP6OB.tmp\is-LBLMU.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OP6OB.tmp\is-LBLMU.tmp" /SL4 $A0040 "C:\Users\Admin\AppData\Local\Temp\SLT_WinLockPro432_fivebb.exe" 1661819 72704
  2⤵
  - Executes dropped EXE
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-OP6OB.tmp\is-LBLMU.tmp

Filesize
153KB

MD5
c58b0552935ffdbc9fa68f31f1f7bdf5

SHA1
a402e41c98185826e221e4ac3ef55f78837e436c

SHA256
c05d118ac2ba1f1e2daca0cbaf0d1e4852363fdfaf7307371f22d4ae1d396148

SHA512
6814a5c59ade1bf763a41bd08e3eda1b3fe7518c8fcd9a61475515bdec48aa4ec65ae241f935081685339a7fd0e74c33db170abba74681d4b585fc3636602916

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OP6OB.tmp\is-LBLMU.tmp

Filesize
27KB

MD5
1128bc1808ffbf0314dccfce3df6f129

SHA1
6e8b5128e0224e10d576726bdb334b0ae360fd3b

SHA256
cbe06f16dd3c570a2ff6dd284ab317e19cb68191bf39e1435b6cd90a19329276

SHA512
39921bbdfceb4ba50e14b97c89103ec4b53bfe6c62028ecc9714e219fc4c0e09b438805ffd4776c4436d68a5fd60b7f4271e85db1cb6ff197f6a66ed421fea81

Download Submit
memory/3752-9-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3752-13-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3752-16-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/5040-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download