6f758710037a98398d2b59b8014b59a8c52955c9036388841df38e48cd9cfd6f

Analysis

max time kernel
122s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

254a62c28fe92e41e5b7d2a7b6b430b5.exe
Size

3.7MB
MD5

254a62c28fe92e41e5b7d2a7b6b430b5
SHA1

1b1b33bf9a6313c8ba203a9fe095d6242164794a
SHA256

6f758710037a98398d2b59b8014b59a8c52955c9036388841df38e48cd9cfd6f
SHA512

e0542ded9cffb0fe76147757b36b1990417f36fd0f6bd2a95a09162032a10ad734cdd4bd85f230073d853e54aba7464803f1f25b542dd76f51d7c81b2d6f56ca
SSDEEP

98304:wdWGyAwgKft/k8lSOAUv5a7WoewEwigoUUcfF3T+kxPeBdhMgT:wWSKlFldv5a7WovF/7FXxPeBdhMgT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	is-LSUBM.tmp

Loads dropped DLL 3 IoCs

pid	Process
2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe
2412	is-LSUBM.tmp
2412	is-LSUBM.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2412	is-LSUBM.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2956 wrote to memory of 2412	2956	254a62c28fe92e41e5b7d2a7b6b430b5.exe	28
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29
PID 2412 wrote to memory of 2564	2412	is-LSUBM.tmp	29

C:\Users\Admin\AppData\Local\Temp\254a62c28fe92e41e5b7d2a7b6b430b5.exe
"C:\Users\Admin\AppData\Local\Temp\254a62c28fe92e41e5b7d2a7b6b430b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\is-JP0UT.tmp\is-LSUBM.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JP0UT.tmp\is-LSUBM.tmp" /SL4 $40026 "C:\Users\Admin\AppData\Local\Temp\254a62c28fe92e41e5b7d2a7b6b430b5.exe" 3577931 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
    3⤵
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

Filesize
240B

MD5
339c01a0db4595d956800b89effda5fb

SHA1
e9fe07fa45f420fad60cfb7e7cf83f42144312f2

SHA256
4b88b8813924715997c83b3a96c8956bbfdc1b848d4b54668ef80048c001cff0

SHA512
fd949cc62c5e179da002557a671afb9936a934e4c867d46db80ee9f7a07d8b66213c00a594fb3ff6c54b95e28c25450e90a5b77b687d2c2a22b66638970fe7da

Download Submit
\Users\Admin\AppData\Local\Temp\is-17H29.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JP0UT.tmp\is-LSUBM.tmp

Filesize
647KB

MD5
03b6ac01266e61b32c466486e92c6b15

SHA1
300a41e438fc542e955f2f9620ed71ee04a156ca

SHA256
e1456b37956ff0683404d8b813db6f82a72e9deb55bb58e5dda19cdb6a2ccf50

SHA512
8450e70b1379838287dc68fc5745ebc693cc92a324401f1b7e6c14653cf676a1fd19cd5dbda1047627fa7d2acd807e0baeee8ff368970415740f08af7edbc829

Download Submit
memory/2412-19-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2956-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2956-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download