e8ab6e03e40c8c642e05921f19885c49e3b8e11911fcf1afe23bc62b55ead2f0

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c5e47ad3abd108f94474e71f1741272.exe
Size

8.4MB
MD5

2c5e47ad3abd108f94474e71f1741272
SHA1

6cc5551568ced7955b6789ae13bca2b5a39b9555
SHA256

e8ab6e03e40c8c642e05921f19885c49e3b8e11911fcf1afe23bc62b55ead2f0
SHA512

1a2d35ddfcaada43dee68a69883916277888989d1f8dba910e871baacb27a619f917144c65506ecad3f40fbfab4d2721497402387d4f84a2e566c5a728d45619
SSDEEP

196608:Lk7YzofFc4flgZ+A72kCFpcKVFTLW21mXUdvoHaWzH00G:LkYo9l6ZGz7cKnTLW21+c4jQT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1508	2c5e47ad3abd108f94474e71f1741272.tmp

Loads dropped DLL 4 IoCs

pid	Process
1104	2c5e47ad3abd108f94474e71f1741272.exe
1508	2c5e47ad3abd108f94474e71f1741272.tmp
1508	2c5e47ad3abd108f94474e71f1741272.tmp
1508	2c5e47ad3abd108f94474e71f1741272.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1508	2c5e47ad3abd108f94474e71f1741272.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1508	1104	2c5e47ad3abd108f94474e71f1741272.exe	28
PID 1104 wrote to memory of 1508	1104	2c5e47ad3abd108f94474e71f1741272.exe	28
PID 1104 wrote to memory of 1508	1104	2c5e47ad3abd108f94474e71f1741272.exe	28
PID 1104 wrote to memory of 1508	1104	2c5e47ad3abd108f94474e71f1741272.exe	28

C:\Users\Admin\AppData\Local\Temp\2c5e47ad3abd108f94474e71f1741272.exe
"C:\Users\Admin\AppData\Local\Temp\2c5e47ad3abd108f94474e71f1741272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\is-OTACO.tmp\2c5e47ad3abd108f94474e71f1741272.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OTACO.tmp\2c5e47ad3abd108f94474e71f1741272.tmp" /SL5="$5014C,8446198,51712,C:\Users\Admin\AppData\Local\Temp\2c5e47ad3abd108f94474e71f1741272.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-OTACO.tmp\2c5e47ad3abd108f94474e71f1741272.tmp

Filesize
381KB

MD5
80637035f65554b92a1e6052bbf383fe

SHA1
f00f7e897eae8021479db6ac9cec85cc2d756b90

SHA256
f8c32a3d6f88635e608c280deee00021ec83c64807d704e809d77c8de0571ce3

SHA512
980a958bfeb61c6b103454f9d630e6a2ef3c924c0f51a6f6738b663dee18fd70b725db093fea0d6f4840553ad6bf54a247734401e284322099f03e4002904b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OTACO.tmp\2c5e47ad3abd108f94474e71f1741272.tmp

Filesize
274KB

MD5
47e4749eb7f595aa8aafed1a4277d2cb

SHA1
fb994ea01b9dd8bd3509b2059b1d793cbec11015

SHA256
e687e2b5d5eb66860ac32b0e4c985d66d60816f6a20d0db7a6e11d73b3567816

SHA512
6475b37005784995c88b77d5703a428af48d97606ac97ab4c28484d895b0f6ba377c1dc9328bcf112f79101a2f9d7463cb2f24ab7ea408f0c6a4200aedc0221d

Download Submit
\Users\Admin\AppData\Local\Temp\is-5FUFT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OTACO.tmp\2c5e47ad3abd108f94474e71f1741272.tmp

Filesize
676KB

MD5
0ceb80916652e6346b490a3519f23783

SHA1
d963ddff57f19ca1d8df1a3cdfc440ffe79a478b

SHA256
19f548bab801d6c7045f81199ebaa5047078b50388aeb8215d5874638bc5c213

SHA512
0b5ffb32fa0e21cdab89110c784777eed5a459ed7a78558445456e40b4effcce170be073a34f8788fdef742df6c89cfa196f5d00d56263098ec5122e6b5e43cf

Download Submit
memory/1104-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1508-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1508-20-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1508-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download