75155568d64e958d8003f9fbb36839fc9a53bfab3b51a8a1106a78e5be98b2e9

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

264474ae9b9fd039ac0c113f88f7bd2d.exe
Size

5.3MB
MD5

264474ae9b9fd039ac0c113f88f7bd2d
SHA1

4a3cdbd119bb149ffd96bab9dddb768e505460b0
SHA256

75155568d64e958d8003f9fbb36839fc9a53bfab3b51a8a1106a78e5be98b2e9
SHA512

fc683588c36234405265bc4ca0e2dc868997a12f55cb8d8a1b2d88fa447998a1af78507fd8c4210c457bcfca5738dd68a3264df19c50661b63e6e0b9c803e581
SSDEEP

98304:+wTlDCSkHS5PmyHZhMFdnr7lZI4jum8h0AYbg9o7iER1LcKn/qPP:+w1CST35hMnHI4jf5zbg9scrP

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 10 IoCs

pid	Process
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2184	ping.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe
2432	264474ae9b9fd039ac0c113f88f7bd2d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2184	2432	264474ae9b9fd039ac0c113f88f7bd2d.exe	28
PID 2432 wrote to memory of 2184	2432	264474ae9b9fd039ac0c113f88f7bd2d.exe	28
PID 2432 wrote to memory of 2184	2432	264474ae9b9fd039ac0c113f88f7bd2d.exe	28
PID 2432 wrote to memory of 2184	2432	264474ae9b9fd039ac0c113f88f7bd2d.exe	28

C:\Users\Admin\AppData\Local\Temp\264474ae9b9fd039ac0c113f88f7bd2d.exe
"C:\Users\Admin\AppData\Local\Temp\264474ae9b9fd039ac0c113f88f7bd2d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\ping.exe
  ping -n 1 -w 1000 www.piriform.com
  2⤵
  - Runs ping.exe
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\ui\res\RC_Computer.png

Filesize
82KB

MD5
67f13e50fa75087ef8c2074a52cc8bb1

SHA1
8f31cf48fab91b9e263105289d17c146d088274b

SHA256
044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f

SHA512
44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\ui\res\Recuva_Logo_72px.png

Filesize
9KB

MD5
6a2e01749e591a1ce8216daed41b8721

SHA1
a4aa31d936a33eb7d58e809b738184f6b2c7e1c2

SHA256
f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290

SHA512
262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\g\gtapi_signed.dll

Filesize
71KB

MD5
61bc40d1fad9e0faa9a07219b90ba0e4

SHA1
5b5c3badedba915707000d2047eaf13f27b8925e

SHA256
89e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a

SHA512
fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\nsExec.dll

Filesize
6KB

MD5
5ed60250f74fa36a5a247a715bcd026e

SHA1
ff5f3ad0b32ede49a28e744664d086f6fe9e46b0

SHA256
ea8026766adc2d7cc26e2206cfdf5f0865b1426bfe3bc2aec8f43d3fc9a072ef

SHA512
2dd77324c1e0fea801a5cac1fe1d67349a5a93d4a9a459ee1e6b469f6ccce309fc45e513f38de238971b0a83d31e0afe3a2686eca8887772445209cde5735cee

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\p\syschk.dll

Filesize
255KB

MD5
42fb0c5333071b1f4b04587b4e38353e

SHA1
3e241a174204ab23a1f98148bc9a28269a12c668

SHA256
d39c9c47075c0bd297affb3e5dc73b23eee3a9e83b1e209359bdf64a620c8792

SHA512
cdcde909f95144882965b347cf7acf2ee3da31b067d59668a4d41e66605dc30df803ef18a9328d82a681a70533038b33fae167f146267ffd2f68e1b582d6ebb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\ui\pfUI.dll

Filesize
3.8MB

MD5
4406a985e08f66b8921dce39fd3e7a2d

SHA1
b40130e3882408a2b3038a3653d0bdf099c79aec

SHA256
8fbca8477b43ef3877d3ca6cd7c077fadc46c5c45adb78725449a194d064ae11

SHA512
882e6e99dc603ccb75e1e21f2e1698f37bfe3ae8a822169d46e26df4de4f579b96803ee0b5118cebe5ef5c68662d892c97c15ee51033ed08682ad1325dc4a578

Download Submit
memory/2432-99-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/2432-117-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download