74422a6005c117fb5437b73f05b126326408f2eaeab60dfeedaf71df41bcc972

Analysis

max time kernel
180s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rmtoavimpeg.exe
Size

8.0MB
MD5

caf3d1ecba3b0ac3d2fa8eff5f1f0dc3
SHA1

e71ab58c1e4d6e35aa8966f65e96d6e26a01beab
SHA256

6391fa32f82c57e6e0c1427e6ae698a1b9120141af3c2a1021cedc837df91aac
SHA512

24052fb605a1fcb0489c5c27673dce4e279e8e84a86c6f92f4fe62a6f1a5df8fb298c44aa0887dcdf598ad031636af359ff9c25061c993cf37eca9b685015342
SSDEEP

196608:bhsR1KwPRqmAlULR4suLCpFCowK1Yi/oUHK/X:Ns+YcmAIR4Idwni/bA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	INSE2E0.tmp

Loads dropped DLL 3 IoCs

pid	Process
2724	rmtoavimpeg.exe
2624	INSE2E0.tmp
2624	INSE2E0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	INSE2E0.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29
PID 2724 wrote to memory of 2624	2724	rmtoavimpeg.exe	29

C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe
"C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\INSE2E0.tmp
  C:\Users\Admin\AppData\Local\Temp\INSE2E0.tmp /SL3 $6015C C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe 8386371 8389731 61440
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\INSE2E0.tmp

Filesize
378KB

MD5
99fa571a302c7e8ed49d149c1c700623

SHA1
55f36c6868d698cf9f4b84296b51737b34d014d0

SHA256
d2e9c5966937beadba64d89d3ce31212c61a85118d9662adb98fdeac1ad6eb44

SHA512
f14a45f0cf8b338efa4371ca88767189cce8ef919aa7c691ba7105a393acaf07b43721f2a74417075aa99acea875cc5de4c7a09fd38dad6f913b9a675c0ddec0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BPNOJ.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2624-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2724-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download