113831c843267ceb45f7fb0ae82b249e8d84ce2d9f6b1ea00aa7bf4eb7a2ea2d

Analysis

max time kernel
188s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26bdbdbee492463978b4d482d36e9ab3.exe
Size

412KB
MD5

26bdbdbee492463978b4d482d36e9ab3
SHA1

c32284365040b44c6bee2379ab6fbb7a61e47846
SHA256

113831c843267ceb45f7fb0ae82b249e8d84ce2d9f6b1ea00aa7bf4eb7a2ea2d
SHA512

e11c3d8c149b69ad5b531508c070a43dd1fee8d670f8dd376425552586265025cc97561dc85d73b97e35735dffcd22fae417f8d21fa2ddb41293ccd17e75c95d
SSDEEP

12288:gutrzh9xOXklb5UeIVWWqRYnHA7PpOgztjNuq:gutr5OUlbI0FR+A7PUXq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	iplug.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	26bdbdbee492463978b4d482d36e9ab3.exe
2244	26bdbdbee492463978b4d482d36e9ab3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29
PID 2244 wrote to memory of 3060	2244	26bdbdbee492463978b4d482d36e9ab3.exe	29

C:\Users\Admin\AppData\Local\Temp\26bdbdbee492463978b4d482d36e9ab3.exe
"C:\Users\Admin\AppData\Local\Temp\26bdbdbee492463978b4d482d36e9ab3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\iplug.exe
  "C:\Users\Admin\AppData\Local\Temp\iplug.exe"
  2⤵
  - Executes dropped EXE
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iplug.exe

Filesize
872KB

MD5
2aa0002b508ad754f9b4fc2cf304f9b7

SHA1
10cae9a9bfca92852193b59993f6eae35c3bc87d

SHA256
18e87ff8e3c7ee52f85d9588e7852361b5239280e99cb73d0918500b87ed92af

SHA512
2264c0ee5aa29eefaea29e46e739ccf69db2ddf39fc07e2135523a30a4cab48fce857a1cd3b775983c33364ed96b4bc8d88141fd355e6fe3148ca4b2e1c96328

Download Submit
C:\Users\Admin\AppData\Local\Temp\iplug.exe

Filesize
639KB

MD5
0dd4d79895e8c88ea14e49cc5bf894b0

SHA1
84019e486b502f84b75d851996959d037c9d6ce6

SHA256
ae0ba4178d193bd10c940b84bb8f221610a8351f33d9eb68aa31d48ece7add62

SHA512
6adef3f2371b55eab92a5ad6b99744c2276fea018474ac7f54d9ffbf545be434ea08d40f86ab585d557975cd3115af8b65c49103c72b62952bf5d6ec893edb72

Download Submit
\Users\Admin\AppData\Local\Temp\iplug.exe

Filesize
163KB

MD5
798c232628de46719395b6cc5a4b0bb9

SHA1
931cd13409c43c73296e77c30a278b9cffacf2a0

SHA256
9b8f1a37716631d7c327bea60eceff770d7e080b8732950b75a6a1ea48a6afd2

SHA512
0cecec2c32a44975508a07a42da629c10192e4649c60a717ab192dffa467aa286041b3e23f4aa16e31dd466f08b279a5206c6eae1887d389bc9160d4f1e0037e

Download Submit
\Users\Admin\AppData\Local\Temp\iplug.exe

Filesize
763KB

MD5
c3fe8eb24ff49ae5195f7445bdb6a2e8

SHA1
5fbc2b1df99756e2b556277090f5aa05db88d95e

SHA256
34f58489ff293fb90ede44065a33149525033edb750acc3997389cada149593a

SHA512
2fceb1429de5fbf4296a228724940c0c782d3a05830df450423fb125151347fffd3551df0fb65bc6ce746454a3cdd8c52fb355741c7972f4469b32fbd8d3f138

Download Submit
memory/3060-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3060-11-0x0000000000380000-0x00000000006F8000-memory.dmp

Filesize
3.5MB

Download
memory/3060-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download