1245b2a19816985f5667ef344b760c1a2eb71683f457a58180cfc6ea2d42b416

Analysis

max time kernel
165s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2665be2a0c1b649921dff2e915388457.exe
Size

3.4MB
MD5

2665be2a0c1b649921dff2e915388457
SHA1

2bb5905d8fa754b834214cdb85a58db098721897
SHA256

1245b2a19816985f5667ef344b760c1a2eb71683f457a58180cfc6ea2d42b416
SHA512

fc45c6fc2e9e6f4166ace9aaa5359638e428862e23221a56aff7fbbddf0d10beb09757c062d251c7f935ae691a49f559d89cd8cb7763213c2c1c86b731496833
SSDEEP

98304:aJDC5ue1FbbzvD0ECIJ457WIPXpiqGxGVNebSivZnH:aJ+5ue1FbvvwECIa5dP5Uwe2UZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	2665be2a0c1b649921dff2e915388457.tmp

Loads dropped DLL 2 IoCs

pid	Process
2468	2665be2a0c1b649921dff2e915388457.tmp
2468	2665be2a0c1b649921dff2e915388457.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2468	2665be2a0c1b649921dff2e915388457.tmp
2468	2665be2a0c1b649921dff2e915388457.tmp
2468	2665be2a0c1b649921dff2e915388457.tmp
2468	2665be2a0c1b649921dff2e915388457.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2468	2256	2665be2a0c1b649921dff2e915388457.exe	90
PID 2256 wrote to memory of 2468	2256	2665be2a0c1b649921dff2e915388457.exe	90
PID 2256 wrote to memory of 2468	2256	2665be2a0c1b649921dff2e915388457.exe	90

C:\Users\Admin\AppData\Local\Temp\2665be2a0c1b649921dff2e915388457.exe
"C:\Users\Admin\AppData\Local\Temp\2665be2a0c1b649921dff2e915388457.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\is-BFS33.tmp\2665be2a0c1b649921dff2e915388457.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BFS33.tmp\2665be2a0c1b649921dff2e915388457.tmp" /SL5="$260022,2842439,70144,C:\Users\Admin\AppData\Local\Temp\2665be2a0c1b649921dff2e915388457.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BFS33.tmp\2665be2a0c1b649921dff2e915388457.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBQH0.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBQH0.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBQH0.tmp\setupcfg.ini

Filesize
44B

MD5
1c1c7429191b101734d406c94196394d

SHA1
b39dc95ad2b85d865c9152f20461140879c36a6f

SHA256
7d5cd924ab3b77cb72f18df5231a65d76de45d877c78c9cb1ad0e5b66d6988ef

SHA512
cd77324adbdb6453949cdf72f267649869f7700a90274292c4328cdba62631a914510692a6d87f3b1ba4aeb496458ecb01cf68c7da7b0c8d2012360e33b5ce8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBQH0.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/2256-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2256-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2256-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2256-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2468-21-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/2468-23-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2468-26-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2468-27-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/2468-29-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2468-7-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2468-82-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2468-83-0x0000000003C40000-0x0000000003C77000-memory.dmp

Filesize
220KB

Download
memory/2468-200-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download