e21eb8495a56984c4889573dd5d8460313ad61c15c24090ddd707a8a7d419b2b

Analysis

max time kernel
163s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

htmlpasswordlockV3.29_XiaoSD.exe
Size

1.1MB
MD5

bbf5572e5f8d290cac7a39da9fbf05ee
SHA1

0511811c4919a1b10ff7a58c5d350568149f1839
SHA256

707a128a04eacccf596332abba93335965f14fa014177112ab9fd3ba3aa31947
SHA512

c60d40e341bfda8afffe302f4e0a6cc4584c2c16b11cf6bd72e12be1f236f90959ae56a835ce6d9a591eb11545c1e3446870dca7d1aad65556aef5f4dcd2edb7
SSDEEP

24576:tI39dqZBlOfk7twdMkj43v7UXIl0Z/gP7rKPUFH2X7kxE9e:t6duQfkqdMxUYwyrKPL7Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	is-T45IM.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1628	2792	htmlpasswordlockV3.29_XiaoSD.exe	91
PID 2792 wrote to memory of 1628	2792	htmlpasswordlockV3.29_XiaoSD.exe	91
PID 2792 wrote to memory of 1628	2792	htmlpasswordlockV3.29_XiaoSD.exe	91

C:\Users\Admin\AppData\Local\Temp\htmlpasswordlockV3.29_XiaoSD.exe
"C:\Users\Admin\AppData\Local\Temp\htmlpasswordlockV3.29_XiaoSD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\is-PQJ0J.tmp\is-T45IM.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PQJ0J.tmp\is-T45IM.tmp" /SL4 $140064 "C:\Users\Admin\AppData\Local\Temp\htmlpasswordlockV3.29_XiaoSD.exe" 928032 52224
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PQJ0J.tmp\is-T45IM.tmp

Filesize
635KB

MD5
935bc16ec2e483a47f485227303c9282

SHA1
e9fd30d7c8f93dc86fb62d0b5dadaa89477109f4

SHA256
9331ae3847ead3d91037d173ecf019aa2ff2c66685363fffc54b26707e4039d7

SHA512
375cc329b1ee83d7438a3f5592af9cd169dec8b1b77dc52957138f1802fdfcc928d0f33155e8d767eb7049ad210743ce258b980f171ca5dc05fb16e5d7aa82fe

Download Submit
memory/1628-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1628-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1628-16-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2792-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download