1472780b22a70f13e6aec3ffd06fc9714748841f9f88c3c3b743d247d9711d68

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24bd3998edbc7549f50201cce7b9a11c.exe
Size

696KB
MD5

24bd3998edbc7549f50201cce7b9a11c
SHA1

713f191a4b99967af3c019765931a9624fdc8830
SHA256

1472780b22a70f13e6aec3ffd06fc9714748841f9f88c3c3b743d247d9711d68
SHA512

ca1adc1f5a27711442187e7032c1e1bee8d4c56313531dce2f2de817b4d3ddb31d7ed05a2ba4edba41ff1bcd30c15501a3f4468419b8179631d47fdcfe2eec03
SSDEEP

12288:IF9COQM7p6I76cLkjTisIessEnq9+uJ7zk+nG8R5+YIHf8pw5a4EcseV:yxrYBfhcnq3JhG8RobEpcaTi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
864	regver.exe
4988	CheckVer104.exe

Loads dropped DLL 3 IoCs

pid	Process
1940	24bd3998edbc7549f50201cce7b9a11c.exe
1940	24bd3998edbc7549f50201cce7b9a11c.exe
1940	24bd3998edbc7549f50201cce7b9a11c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4988	CheckVer104.exe
864	regver.exe
4988	CheckVer104.exe
864	regver.exe
864	regver.exe
864	regver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 864	1940	24bd3998edbc7549f50201cce7b9a11c.exe	38
PID 1940 wrote to memory of 864	1940	24bd3998edbc7549f50201cce7b9a11c.exe	38
PID 1940 wrote to memory of 864	1940	24bd3998edbc7549f50201cce7b9a11c.exe	38
PID 1940 wrote to memory of 4988	1940	24bd3998edbc7549f50201cce7b9a11c.exe	39
PID 1940 wrote to memory of 4988	1940	24bd3998edbc7549f50201cce7b9a11c.exe	39
PID 1940 wrote to memory of 4988	1940	24bd3998edbc7549f50201cce7b9a11c.exe	39

C:\Users\Admin\AppData\Local\Temp\24bd3998edbc7549f50201cce7b9a11c.exe
"C:\Users\Admin\AppData\Local\Temp\24bd3998edbc7549f50201cce7b9a11c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\TempImg\regver.exe
  C:\Users\Admin\AppData\Local\TempImg\regver.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:864
- C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe

Filesize
26KB

MD5
9932e4c8ea8fc40384447941a3392769

SHA1
83eb14c11e01572967e525e2a6036e122f872294

SHA256
33bf3c5151719df89a8142066aadcda656ba6129238dfb3b377362a7da1a5a3d

SHA512
9f75454d3e7a78fd4219f901406447956ca1e648fa00f33f023f2f242617cbd599fd95db2ba89c27ede71f44656196257fd59d4dfdf7373b0477a9f55d93b567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBB62.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit