8b143062ebc9e1dfbbdfd1a7a24eb88c2637294e15aa26d9c65b23e95f257eeb

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38918f603b2e2bb4c09e69bc5f98cb71.exe
Size

109KB
MD5

38918f603b2e2bb4c09e69bc5f98cb71
SHA1

3d86e656d996a13921e79996dc6bd9e8c31ba93b
SHA256

8b143062ebc9e1dfbbdfd1a7a24eb88c2637294e15aa26d9c65b23e95f257eeb
SHA512

a326a0fe964cec626341aac47221036abc04a1c999d1a7f4e5634daacec0c67976f2397e051ec34beb7d4fac16ba1cb765d6cb701ed512bc7d67a7d91919a833
SSDEEP

3072:b+CLQALA6QggKEtEDxrg6hetSd397s60IVW:Kq1LA6SrIrg6Ao39/

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1460	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
3232	38918f603b2e2bb4c09e69bc5f98cb71.exe
3232	38918f603b2e2bb4c09e69bc5f98cb71.exe
1460	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isptr = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\isptr.dll\",LoadMeshFromXInMemory"	38918f603b2e2bb4c09e69bc5f98cb71.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3232	38918f603b2e2bb4c09e69bc5f98cb71.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 1460	3232	38918f603b2e2bb4c09e69bc5f98cb71.exe	93
PID 3232 wrote to memory of 1460	3232	38918f603b2e2bb4c09e69bc5f98cb71.exe	93
PID 3232 wrote to memory of 1460	3232	38918f603b2e2bb4c09e69bc5f98cb71.exe	93

C:\Users\Admin\AppData\Local\Temp\38918f603b2e2bb4c09e69bc5f98cb71.exe
"C:\Users\Admin\AppData\Local\Temp\38918f603b2e2bb4c09e69bc5f98cb71.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\isptr.dll",LoadMemory
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isptr.dll

Filesize
23KB

MD5
8597feaaea4fb3e4a29ff6816b2f8c22

SHA1
c4755a8a4ce0950e73dbc810993371c35bcd7ff4

SHA256
0388fed6e5b4b19628a876632d628e1abd65618ac4a402c8a096c5406c3c0e7d

SHA512
e1f8e25737bf8b414bd2981f9a1713c8a032b6580f2b1e7a23c05f7d7629e241a22e8e954b3a4267c29e9fdee75d69c7891128883204f55e784a4feee84afc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\isptr.dll

Filesize
48KB

MD5
c60557243bb0e9a1925d4432465e2a9b

SHA1
67b11d95a0336e49943603d265baf12d712166e4

SHA256
441d249f3ae3eb26b535f842652a08700623ec3b127f4f356c02ec47b6ceaea4

SHA512
4721cdf49d6b6e2b11b11be0e35ba286819662a5046e55e864169c594ee99aef037f336917e64634e69b6c4cbf9583c4ce95fd9507ada4bb84eace84e6b15b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\isptr.dll

Filesize
66KB

MD5
0091b22a27f93a1176f353591032e753

SHA1
4f59831c7dde20e704f6b8595cefbfac2544f730

SHA256
7454abad0a05706f2131f35f907fa575dd7efdec5c458dd24690ee6c66d88ba7

SHA512
46eb370a235937b3e49b697b4dd4a8dddf00f15a0f304b01550eaae7dab9aba102d0f6489963352e7d81c79b4272bedc59dab73b8fc618126f6f4cba451edd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isptr.dll

Filesize
69KB

MD5
77ce6574986b85dbb323b00499f1e472

SHA1
b4543b68d6457bf88bffa095ae5b9dd8ccc74cb8

SHA256
15829950863a61c3d5dfc568d7b6b9004a7b38f3a8951a12534bc8bdce2c44c5

SHA512
78ffc4839607d46330ba7de17602e91f5436118b4bcb7015165d2c43d9e1a31f2d44dcc6f069b0521cd544ad81ccbc1d5b5e65d3220a688c45d22e5970768687

Download Submit
C:\Users\Admin\AppData\Local\Temp\isptr.dll

Filesize
109KB

MD5
b7b31f12bc81ef5cab528c0e3da6bdfe

SHA1
7d7fd6d9e73213d51de76e6764bc377bc612b03b

SHA256
60baea2d41afd8d5249a267fb44ac40d4be7a253c6fc4e1450c27bcfe1cf9b99

SHA512
78efe660ef5ec230ad0174749f11e6fa07c1f46f8bc263081ca97830142da386582d246c187a5b73bcc5299f6bc2d44d31708336da470dc1b84eed53ea989f62

Download Submit
memory/1460-31-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1460-25-0x0000000002B00000-0x0000000002B1E000-memory.dmp

Filesize
120KB

Download
memory/1460-29-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1460-30-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3232-16-0x00000000009E0000-0x00000000009EF000-memory.dmp

Filesize
60KB

Download
memory/3232-0-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/3232-6-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3232-17-0x0000000000A00000-0x0000000000A1E000-memory.dmp

Filesize
120KB

Download
memory/3232-2-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/3232-21-0x00000000005A0000-0x00000000005BE000-memory.dmp

Filesize
120KB

Download
memory/3232-1-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads