74422a6005c117fb5437b73f05b126326408f2eaeab60dfeedaf71df41bcc972

Analysis

max time kernel
177s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rmtoavimpeg.exe
Size

8.0MB
MD5

caf3d1ecba3b0ac3d2fa8eff5f1f0dc3
SHA1

e71ab58c1e4d6e35aa8966f65e96d6e26a01beab
SHA256

6391fa32f82c57e6e0c1427e6ae698a1b9120141af3c2a1021cedc837df91aac
SHA512

24052fb605a1fcb0489c5c27673dce4e279e8e84a86c6f92f4fe62a6f1a5df8fb298c44aa0887dcdf598ad031636af359ff9c25061c993cf37eca9b685015342
SSDEEP

196608:bhsR1KwPRqmAlULR4suLCpFCowK1Yi/oUHK/X:Ns+YcmAIR4Idwni/bA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4688	INS21E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4688	4856	rmtoavimpeg.exe	92
PID 4856 wrote to memory of 4688	4856	rmtoavimpeg.exe	92
PID 4856 wrote to memory of 4688	4856	rmtoavimpeg.exe	92

C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe
"C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\INS21E.tmp
  C:\Users\Admin\AppData\Local\Temp\INS21E.tmp /SL3 $C0180 C:\Users\Admin\AppData\Local\Temp\rmtoavimpeg.exe 8386371 8389731 61440
  2⤵
  - Executes dropped EXE
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INS21E.tmp

Filesize
378KB

MD5
99fa571a302c7e8ed49d149c1c700623

SHA1
55f36c6868d698cf9f4b84296b51737b34d014d0

SHA256
d2e9c5966937beadba64d89d3ce31212c61a85118d9662adb98fdeac1ad6eb44

SHA512
f14a45f0cf8b338efa4371ca88767189cce8ef919aa7c691ba7105a393acaf07b43721f2a74417075aa99acea875cc5de4c7a09fd38dad6f913b9a675c0ddec0

Download Submit
memory/4688-5-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4688-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4688-12-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4856-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download