44b9846367fa27cc84e4663613ed06cf00d2c9317f5a7378bd42cf9f42f80e80

Analysis

max time kernel
6s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

090590f8b38930bb44147a32a15167c4.exe
Size

142KB
MD5

090590f8b38930bb44147a32a15167c4
SHA1

e0c50ec4123c1f397fe72161381f471d0935dc87
SHA256

44b9846367fa27cc84e4663613ed06cf00d2c9317f5a7378bd42cf9f42f80e80
SHA512

7392e9fe91151dd0c9b1ce8b873989e92ec249757c455cc8afa1ff47c6b663a29db3cad17cacf94801de7f44621a23c51767880d080c325bc728413a8dfaeb00
SSDEEP

3072:CnOn7t7XpdpCCTg/sxFgJ6eqgKJ+BCNCG0YIGdGmHCdkAgeHX:CKpdcCrTdgKMG0Y4midkOX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	downloadmr.exe

Loads dropped DLL 4 IoCs

pid	Process
1232	090590f8b38930bb44147a32a15167c4.exe
1232	090590f8b38930bb44147a32a15167c4.exe
1232	090590f8b38930bb44147a32a15167c4.exe
1232	090590f8b38930bb44147a32a15167c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2184	downloadmr.exe
2184	downloadmr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2184	1232	090590f8b38930bb44147a32a15167c4.exe	18
PID 1232 wrote to memory of 2184	1232	090590f8b38930bb44147a32a15167c4.exe	18
PID 1232 wrote to memory of 2184	1232	090590f8b38930bb44147a32a15167c4.exe	18
PID 1232 wrote to memory of 2184	1232	090590f8b38930bb44147a32a15167c4.exe	18

C:\Users\Admin\AppData\Local\Temp\090590f8b38930bb44147a32a15167c4.exe
"C:\Users\Admin\AppData\Local\Temp\090590f8b38930bb44147a32a15167c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe /u4dc9054e-38b0-4614-bdd5-20605bc06f26 /e111725
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe

Filesize
22KB

MD5
519df72016016058e7e780180be2a28e

SHA1
4a8fcd37e8b95f20c519593c2f5b9f763172c77c

SHA256
a9e4fd216c1e8c055fb1f13b12dec808d29b6e22c8c00056c5e068aa0a79b5b1

SHA512
decfcb5047364e778ccd45680886ff70b3088a839d0f98167a5e6d68e66c39e73799a268471af13d931f84e26475dd5f747801d21916f26befc146bb54fb6de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe

Filesize
122KB

MD5
da254a8488b60244654e1cf4d6796cf8

SHA1
23d06f4589786652a3a226b5012a5520a3d03452

SHA256
6d3b82a7ad74a1e88ae4d0f9176082130f1558fb3ff42a8b45ca8b80445efc2d

SHA512
d311f90ad65441f6c7ae55220c2c3f117aa7601d083e6847e1b58b96c3c332d68a25d445310818396dc88678fb9ec5356f35a04a392c3d23746a2231e14b0a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe

Filesize
64KB

MD5
deb518f5abef9a42d2f721bc17856a30

SHA1
80acf4927acadd08eb801b2ecaeaa50987ba3a61

SHA256
23d632204e7963f5d687954fbc775718b55c2f1767d9ef4bbda3883ed443b03f

SHA512
0fdb7b28326969a17b618960de1db4788717e4a29b3e0fb935cd6cb56aaf15371b40ffe32c54977983d540ec151be91174f4ae2e32927396db858889aa147bf8

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9511.tmp\System.dll

Filesize
21KB

MD5
5ebc73650256e9c8ddbcda231db829a1

SHA1
988d4535e18754ab2a6248abae96c5697d7dbcd5

SHA256
1eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493

SHA512
b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe

Filesize
76KB

MD5
8e4e129b4c75b223a8fbc2b9ba9ad518

SHA1
7449bd12f122b56ff3071650f96627c800ed0b71

SHA256
d1bdeffc3b444c54ebeda8aec43631851405327258a1ce7e1e4151c63c8aa7f6

SHA512
562c6ea077620f613c47d3a6b43ae7e57f9d34cda93a61a96f0cb8d0cf38a1e76aa4a13700007f70138bb031ad3348d702c0953cf4c7f1c4ef5dfaa6c3f1866d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9511.tmp\downloadmr.exe

Filesize
95KB

MD5
81b8aa6eb9097fc8591d3a3a8ea19bae

SHA1
93f45ee4c719e4b9ebe70b4ea07e22092a44479f

SHA256
eb2a7932456bc5f2dda3d9372e2cd05e3b2d2fcdb567631025fe9474ab57798d

SHA512
9cd914c7cf9b103a112848094e5b36e5503ff3370052e40510a28ca09070d44bcbe33b72c333ef7e7b5c995cb7df6b78ab48cd236df91e2512867110ab490aff

Download Submit
memory/1232-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-18-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-19-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-22-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2184-21-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2184-23-0x00000000056F0000-0x00000000057F0000-memory.dmp

Filesize
1024KB

Download
memory/2184-24-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-20-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download