228c2c5ed04b6f7e386c10bb039d179c4c8314452b9db21507cb3bacbaa927cd

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d3d022dc85ee0857f7d86653ee903fe.exe
Size

2.7MB
MD5

0d3d022dc85ee0857f7d86653ee903fe
SHA1

d4d1925962bffe38691cc5d0f502e146d52ea29a
SHA256

228c2c5ed04b6f7e386c10bb039d179c4c8314452b9db21507cb3bacbaa927cd
SHA512

abbe2edd86add626a22d367f0f8561ac20b0c0da7a74d6e4858b51996a6be8e9db8c07e222c245150f4f733cf75799d556d82f47a6bd635d703c9025b4aa200f
SSDEEP

49152:BZ74mej7s9QlRZPswbIEvSD7haUNs/NW5GsA1L5jl89ebA5rOYiZnh:BN4aKfE0IPhaUNs3XtpAebSivZnh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
752	0d3d022dc85ee0857f7d86653ee903fe.tmp

Loads dropped DLL 2 IoCs

pid	Process
752	0d3d022dc85ee0857f7d86653ee903fe.tmp
752	0d3d022dc85ee0857f7d86653ee903fe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
752	0d3d022dc85ee0857f7d86653ee903fe.tmp
752	0d3d022dc85ee0857f7d86653ee903fe.tmp
752	0d3d022dc85ee0857f7d86653ee903fe.tmp
752	0d3d022dc85ee0857f7d86653ee903fe.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 752	784	0d3d022dc85ee0857f7d86653ee903fe.exe	30
PID 784 wrote to memory of 752	784	0d3d022dc85ee0857f7d86653ee903fe.exe	30
PID 784 wrote to memory of 752	784	0d3d022dc85ee0857f7d86653ee903fe.exe	30

C:\Users\Admin\AppData\Local\Temp\0d3d022dc85ee0857f7d86653ee903fe.exe
"C:\Users\Admin\AppData\Local\Temp\0d3d022dc85ee0857f7d86653ee903fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\is-50S0A.tmp\0d3d022dc85ee0857f7d86653ee903fe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-50S0A.tmp\0d3d022dc85ee0857f7d86653ee903fe.tmp" /SL5="$60066,2132727,70144,C:\Users\Admin\AppData\Local\Temp\0d3d022dc85ee0857f7d86653ee903fe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-50S0A.tmp\0d3d022dc85ee0857f7d86653ee903fe.tmp

Filesize
181KB

MD5
0c44a0990707ad48ae7fcb7aa8fbbb50

SHA1
6dffeb89ab2f0e2c9a90b070ba167d9a2832d1b2

SHA256
442ca20e42772e3603732ce1802c225acfc6586a248d40f32dda16aada039a84

SHA512
a5110c5661d7992f0166c0b064d7f3c0fc270f463efb850758a3951c1201d455475eb4f98f223aed3f99695f47a3adc602d50910718aa4e1e60686b7b7b29432

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-50S0A.tmp\0d3d022dc85ee0857f7d86653ee903fe.tmp

Filesize
255KB

MD5
ae5265b8908eac3ce324863bbcfffc5d

SHA1
988532af1711bdcaea2669005401c0b15a520d58

SHA256
dcf5e83bcf0662a76d8c2920bbefef1aee5e0f6335e260aaf96936449ac5c2a9

SHA512
89646ff96bdd32f94c81d1cd69892a0b88343db08dfd318e88cd83ce45b5e338921fbdd0d044937d720dbe0e0f6cac62bc006345a29ae3f3b60d05cdb5521f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HLRBA.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HLRBA.tmp\DownLib.dll

Filesize
134KB

MD5
5c75699502b7a639fdc24be6a76766d8

SHA1
e0af30c6710d9a8778e95aae75d49ab9cdb14d27

SHA256
b45e0d36976f0543f4d832f55d6c3cdf75762692645084cb30c1d85722171ba0

SHA512
d91b54acfc830421b9e9f337f1fb4b14e8f6c6153292627dfb5980f4d0e7f2b6a9d0427a4fb8d0f0a08336ec942087d2e74dfc0a25a26bece48c083a131c1eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HLRBA.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/752-7-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/752-20-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/752-128-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/752-127-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/752-132-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/784-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/784-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/784-126-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download