f26613315b217e62877a2b6b361778d0439e42c97aaedee0c26bb5fb174f5cb2

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234cdc33d9281dce513a9556f45ae26f.exe
Size

4.2MB
MD5

234cdc33d9281dce513a9556f45ae26f
SHA1

a194279910c2f8cbdc75b8ea6d471e245a719b67
SHA256

f26613315b217e62877a2b6b361778d0439e42c97aaedee0c26bb5fb174f5cb2
SHA512

1466c386d9ca78f4b65e1af3df25ab8949a43e286f9a31430fa25faca73411892780f4e1058f1cdcb828ff6d12d464e560274b6c5a34702e6a9e79af5527f4b1
SSDEEP

98304:SiD3UMZkFjbyRNLMhAwDXBexqo6pT7HbTIAsRzeGUh+yjWS:XARj4p+AmXBfo6p7vIBzeGZ9S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	is-OFNGQ.tmp

Loads dropped DLL 3 IoCs

pid	Process
880	234cdc33d9281dce513a9556f45ae26f.exe
3028	is-OFNGQ.tmp
3028	is-OFNGQ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	is-OFNGQ.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17
PID 880 wrote to memory of 3028	880	234cdc33d9281dce513a9556f45ae26f.exe	17

C:\Users\Admin\AppData\Local\Temp\234cdc33d9281dce513a9556f45ae26f.exe
"C:\Users\Admin\AppData\Local\Temp\234cdc33d9281dce513a9556f45ae26f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\is-SHAMN.tmp\is-OFNGQ.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SHAMN.tmp\is-OFNGQ.tmp" /SL4 $5014E "C:\Users\Admin\AppData\Local\Temp\234cdc33d9281dce513a9556f45ae26f.exe" 4129302 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SHAMN.tmp\is-OFNGQ.tmp

Filesize
385KB

MD5
f04250aca7fd155cc444c8bb6025e918

SHA1
c7a210f7a00f200cc6a0316bb569fffe03726a78

SHA256
69a257620b6baf3045b9f4cfc2fb0ef4da7e4ac8132109d16b26ce5eea110326

SHA512
ed8f026cc0da9a3c959ba66fd5df7a10e5e2704112a044deb17da7208a6d8c8c512329d3009934a742f04f2db321026cd56d1f473e97f18d1b6be5ab46eab4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SHAMN.tmp\is-OFNGQ.tmp

Filesize
384KB

MD5
9d36dac99f4d4cd71749bdbef271734d

SHA1
8c2f6715113cb75c19e4e11da4b23dae141ece45

SHA256
899f73ac63dfc32ad54b486d3eabaadd886d87b75a824f4f8d03b375e57f99df

SHA512
e24cd935605cd9c60e30ddde8d78f667983f56797c277500aefe4e878b90d89a7ac8fe2888c5b04fc6375cabffc1dac8b75582db10dd85b4e46b96ef3e9606ea

Download Submit
\Users\Admin\AppData\Local\Temp\is-BNIQH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SHAMN.tmp\is-OFNGQ.tmp

Filesize
634KB

MD5
186576f618673f41b1f51c003ca77087

SHA1
d7a676e92e1f86a486e31c44ac41bfed5bfb73e6

SHA256
f24f9507710917431a8680e8565cbe45fa0200afcb651d78e83e940e4e1c2036

SHA512
973ec84bfb641494218527450a1cc3a0982fedaa4a0a8238268df80df188d6368141e0831976524365bb2243d9bfdfd2cd492404ae025ffacf02a6fba728e3b2

Download Submit
memory/880-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/880-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3028-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download