11f6e35dc6180dcda6b3f5c90fa59fe0101bf4678935ad3862b25a463264f8d0

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e2d960f369d7fd84dc7fc702f5fd9e.exe
Size

74KB
MD5

16e2d960f369d7fd84dc7fc702f5fd9e
SHA1

0397a3973ff9a293e993d2b9ea7e3c6d0593c8f3
SHA256

11f6e35dc6180dcda6b3f5c90fa59fe0101bf4678935ad3862b25a463264f8d0
SHA512

be452781208b635055bf3f480e766eff7f5eaccf9ea3726c027ec20871c06343729c20fd5d619b9e91fb59f1c8cf756b60c28697eb3af359d9c2716722699afa
SSDEEP

1536:5oLDYsacy7mHMowHjXJuF5sdiLZVgHrmyvgHiHzb7ZXdlih1:5oPyys5jXJuF5ZLZWHrmyvQ1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 15 IoCs

pid	Process
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe
1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	16e2d960f369d7fd84dc7fc702f5fd9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 5076	1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe	22
PID 1196 wrote to memory of 5076	1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe	22
PID 1196 wrote to memory of 5076	1196	16e2d960f369d7fd84dc7fc702f5fd9e.exe	22

C:\Users\Admin\AppData\Local\Temp\16e2d960f369d7fd84dc7fc702f5fd9e.exe
"C:\Users\Admin\AppData\Local\Temp\16e2d960f369d7fd84dc7fc702f5fd9e.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\Temp\O1g8x0hNmuP8rEYuJjIAq1g8x0hNmuP8rEYuJjIAq\310714_is.jse
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa3A9A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3A9A.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3A9A.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3A9A.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit