9f3a214a121a372d8fff848bc24bd04f0fb4ace222c5fa469c2ce445f553215a

Analysis

max time kernel
147s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e4309e108b1792998d2a705f68825a.exe
Size

1.6MB
MD5

27e4309e108b1792998d2a705f68825a
SHA1

cd2689b7b6a12e52f40f13bbe15aa802d01e55bf
SHA256

9f3a214a121a372d8fff848bc24bd04f0fb4ace222c5fa469c2ce445f553215a
SHA512

7ad14763f0ff151c6ec7cf0b1dc49420036d6a6df5cdc1960ca7d40675695b8ace7cce1a07dcc4f7efa0e7145abaab7c8467192be440ce0d472c4835dcc45689
SSDEEP

49152:LGNvYZjmoi7us4FYNfWg7Eqq9FMyBVz1QMXx:SNqSoioWwaSGMh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	is-BQUQG.tmp

Loads dropped DLL 3 IoCs

pid	Process
2536	27e4309e108b1792998d2a705f68825a.exe
2772	is-BQUQG.tmp
2772	is-BQUQG.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	is-BQUQG.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28
PID 2536 wrote to memory of 2772	2536	27e4309e108b1792998d2a705f68825a.exe	28

C:\Users\Admin\AppData\Local\Temp\27e4309e108b1792998d2a705f68825a.exe
"C:\Users\Admin\AppData\Local\Temp\27e4309e108b1792998d2a705f68825a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\is-UND1K.tmp\is-BQUQG.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UND1K.tmp\is-BQUQG.tmp" /SL4 $30120 "C:\Users\Admin\AppData\Local\Temp\27e4309e108b1792998d2a705f68825a.exe" 1455235 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-UND1K.tmp\is-BQUQG.tmp

Filesize
24KB

MD5
ad91ef99ae13b89185217eb3ead6d476

SHA1
fa1948a34a2a0b20f9e9e30bc1de56705784a54c

SHA256
8d80dae2c569c036fe062a2238ae72b23e0c7841842644e93561db97de075607

SHA512
e2e2c3a92437208f68699a6c01c2297c59981f87cff8e9d2f85a9ce92264f2969edbb7b580ddc786e17e9bd76bf5c8984e375bf96c3441193c63a6fa57df2572

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UND1K.tmp\is-BQUQG.tmp

Filesize
16KB

MD5
7b7f59fc057402e4e3da1399d8a0436a

SHA1
a0922ab06d0d42cd483292786ba87cea5d6cfaa8

SHA256
708187c4714840ee3811b662084c150cf6ec2fd72f2686530b07b66e21481637

SHA512
4069e82605eab2a341f5d00d8bb636f712c1145710540c8c8a40535992971e030fb724cf1143114a5d57f7ba4c0a91ce71a7f948910afbf4a3c684864269ff4f

Download Submit
\Users\Admin\AppData\Local\Temp\is-UHFQC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UND1K.tmp\is-BQUQG.tmp

Filesize
4KB

MD5
88778081831a2db8b0362cc73fcf3418

SHA1
9a78ac90f24045ef15c6ba67bcd232f9a88e40fc

SHA256
e783a0be14bf6ecedc35fcdbdb4eb3ac27ccf5bbd464b7f78625e6ed3488414d

SHA512
2b66daaf55ac878a22ea8b2e513e42df312c6b5d6440716d4e8b7b1bfdbb1d9c7c2b304743077d9db8be80d94f6c29eed4bc813916e9b16a6f41241451ee5843

Download Submit
memory/2536-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2536-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2772-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2772-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2772-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download