1ac8fb7ab9abe5cdbf56cf791f3e35eb4c08d810a236e3399679ef0f82d3861d

Analysis

max time kernel
162s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

photo2scr.exe
Size

1.5MB
MD5

3dd264e94f98b5628efe2e7fec99b5fa
SHA1

1e3f5f152da577b0d67fd4f97017e031dde54426
SHA256

ef7a5cf8e4c927ea847e966943dd9da773b6698e60c1578913650ae28fac32df
SHA512

fec20f9c6d4c0eaccef7e4881d21b968fc080eac2593c92e351408a5f9c1e6d40b1002b3780b8db2f55045e2e8eb9331fb199597de830e84f92be05412e3f434
SSDEEP

24576:gpniOA5rBBMPyZ1ZRZBrbn9p6FbMA/i5/AyGyB4v9VfFZjECNpSB2+GIxnsvsdyl:eiOAnBW+XxrBpmK5jGm41jZugBkyl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4568	is-DUL3G.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4568	3492	photo2scr.exe	94
PID 3492 wrote to memory of 4568	3492	photo2scr.exe	94
PID 3492 wrote to memory of 4568	3492	photo2scr.exe	94

C:\Users\Admin\AppData\Local\Temp\photo2scr.exe
"C:\Users\Admin\AppData\Local\Temp\photo2scr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\is-Q98PD.tmp\is-DUL3G.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q98PD.tmp\is-DUL3G.tmp" /SL4 $60162 "C:\Users\Admin\AppData\Local\Temp\photo2scr.exe" 1352839 52224
  2⤵
  - Executes dropped EXE
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-Q98PD.tmp\is-DUL3G.tmp

Filesize
642KB

MD5
3c9f925549a51f9017e08a072332fa47

SHA1
1bff860e744467a58ef986b1016a4454844f5ad7

SHA256
1eb6ba689a47d91d01c9b3caa93daacec49c7b6daafb217678b9ad8f545c8ac2

SHA512
86112ec0d9f4254bceb0a576bc03e09384a15a4a5e94b08ca65ddfbc60d9d8d459885138c2644c9309ac86bca0b86d41c92dbc8ed23d7d381cdbeb2d7963ec18

Download Submit
memory/3492-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3492-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3492-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4568-8-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4568-14-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4568-16-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4568-19-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download