48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d

Analysis

max time kernel
131s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe
Size

3.0MB
MD5

a43971a9013271337bdcebc04cb7641c
SHA1

4b0a682d151c16e478bf1bc0267d2e9f2c49843e
SHA256

48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d
SHA512

0e8af03e5a6c7cd8e7050983dc8e925d5bd69f990aecce5ca8e526dcc652ea61b7b9dc671ecefb097559121dc2880e4aa698904ea8d54d75040f5f3e951bf696
SSDEEP

49152:PpVUxxbgDTtXXBWjMOBJlh87JQK9Z6nnlcka5OGGrI5sBcvFG:PpVgxgDBBWjpBJQi1S1crI5sB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3000	dpinst-x64-multi.exe
1256	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2588	cmd.exe
1256	Process not Found

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Urmet Daruma\DarumaFramework.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\LeituraMFDBin.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\QrCode_DarumaFramework.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\WS_Framework.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\GNE_Framework.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\QrCode_DarumaFramework.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\WS_Framework.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\DarumaFramework.exe	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\DarumaFrameWork.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\GNE_Framework.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\DarumaFrameWork.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\lebin.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Urmet Daruma\lebin.dll	cmd.exe
File created	C:\Program Files (x86)\Urmet Daruma\LeituraMFDBin.dll	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DPINST.LOG	dpinst-x64-multi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	dpinst-x64-multi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2588	2516	48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe	28
PID 2516 wrote to memory of 2588	2516	48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe	28
PID 2516 wrote to memory of 2588	2516	48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe	28
PID 2516 wrote to memory of 2588	2516	48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe	28
PID 2588 wrote to memory of 2124	2588	cmd.exe	30
PID 2588 wrote to memory of 2124	2588	cmd.exe	30
PID 2588 wrote to memory of 2124	2588	cmd.exe	30
PID 2588 wrote to memory of 2124	2588	cmd.exe	30
PID 2588 wrote to memory of 3000	2588	cmd.exe	31
PID 2588 wrote to memory of 3000	2588	cmd.exe	31
PID 2588 wrote to memory of 3000	2588	cmd.exe	31
PID 2588 wrote to memory of 3000	2588	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe
"C:\Users\Admin\AppData\Local\Temp\48b9c161fac25568da186a0463ea07b266553bb3bfa017675da51152d7407c4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8288.tmp\Driver_DR800.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst-x64-multi.exe
    dpinst-x64-multi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8288.tmp\DarumaFrameWork.dll

Filesize
510KB

MD5
45eb2b7c457702c102472d1d2773802c

SHA1
5923c1f8ab8903742edc5bd9e481d1b47b67673b

SHA256
bfff25cd5bdf0299e3b07bf0c4b079ded11efa89a1b3498ed7b61bc36af16595

SHA512
33dab0f08b81322d41a71b33c404676847ccecc354e61376f74c571fcf214116381d80863376a7c935749b6f1fd5e57572e93d3fe84380995fe4bd763a704a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\DarumaFramework.exe

Filesize
429KB

MD5
9b603f073154a2a5df92822e77da5880

SHA1
687c63a7c9533b0cc3cb00a2f26eb53cd8e26587

SHA256
d0698777bfb2352c5b1c6d5ef68ef2e8dd38808f2846df9ece7a2bbb1dede960

SHA512
9c7cf68eeb423a3362320b2c952ff89c074f7c678c0c206659622a4684884471af3b9ad15630c34210d19da22010cfb2fb4e348d7666ea147ea1c7eb48fb0df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\Driver_DR800.bat

Filesize
48KB

MD5
f0220f0c620a20e58fc6aafe62ecf500

SHA1
c3e245d304f41658cbfe363be41c08708de9a1ee

SHA256
d260c674766b9f5b1cbb051a38d8a7fa6681d7ec07490b09ee2597c27a1cc938

SHA512
250c53ff396d6137c6a81c61c506107f9c805ad38efb479290cf6857c83cd510fd0ecae31431a6e4e1b84857e07e7d2d68e58c699dc5c5468a3c614308bf0eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\GNE_Framework.dll

Filesize
276KB

MD5
8418ddb944c5d1e472d6d71b06545386

SHA1
713d0a1fdef5bce12eef5c5b454bb96d25aa65df

SHA256
a38c8f68b58250f24f0e3fd48371e282ee4f50b72cfe2305113402f907526d2f

SHA512
35471674b2f627768d3d176df527e19a355c188bec8b913c13c77d8b83b8e5bf25985003e83d9de4b1473202b30b83cb185638e1de8627801aec515d6864c4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\LeituraMFDBin.dll

Filesize
231KB

MD5
b06fabbb93af2b423652e4223b702e51

SHA1
450f957ffe6a1396d05597b0934ae11e10b13dd6

SHA256
eae77ba4c3b788aebecf859edcae415920c45f86fe6cb16fe1295a5d9a26a505

SHA512
326226bc8fe5efe6a84d271694fb89e90b708e7696cd4343fca8d54186eee24ccb92129f9a90188f35338b404353a1e440379acaa5af2db5c719c2f4bb37ffa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\Logo_Daruma.bmp

Filesize
7KB

MD5
4c48e660fe050a49bf88546872c56063

SHA1
e250b341bea3967e42245dbc8ecbd5e2122fd5e7

SHA256
58be92cd007e9539423f80a05f7ef2cfcb808c883985a48a4c61b465b635f647

SHA512
e1106ad7a32818bb2b276bd17679be9b2a40b74aed61c0224cd2b6683479b4d560ec9e7a9b560e300548dc556861b876ef3e7b2ff4c753f064d80d3c29ee7b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\Magua_Daruma.bmp

Filesize
155KB

MD5
7c2dd8e0355b60ad4dce90ca60ff4b6b

SHA1
40912044346c178a19b61690abf7c536ff866813

SHA256
ecd1d1f867c918588b73eb42eb87fea9bba420830e22b34c21c015bf2b12dab1

SHA512
4db9acefb4430e5a8105005424f33780df2739c522a0c2ddb9c6d9592225b9ee06eb19284182b7639b4e142bee565d81aadc3333523e785ccc796629b7a01cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\QrCode_DarumaFramework.dll

Filesize
38KB

MD5
b2704fb82a92bf876196ca2401bc80e7

SHA1
1264a1a8912494b705b63e8c1d99d6506d83e07c

SHA256
d67c1f6a0997e426798a8a811cdda623af8876f7f1c3df5d61a8ce371b19003e

SHA512
a008dee16a243e7bdfc21ad58a6f3fc44fc1bc3474035d3dbf410aad539c3b0842897e3b4477d3aac9313898db3a12d7c7df19763b626034d9c426a510bc07d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\WS_Framework.dll

Filesize
650KB

MD5
575cc2ea16b92ca1d2cfd8b7e05c5010

SHA1
2c1f63a40dc12dffbde0b907903b6148d32f8651

SHA256
379b609f5715ee809d8717cd0756d0ca6540b66b75ade2915301419109e4b9c0

SHA512
f08bedff73ad2a0edde5d51b8e3bd6f61e0a11e88de41fd23db0c8d518f9eb5cc595b32267529fbf95862b27227e6552e1c6c4cb031e6eaeedc46b1d2fe3616e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst-x64-multi.exe

Filesize
516KB

MD5
fe6b791e444b021a14a80cc09d480a90

SHA1
6488cffbe37a14f26d23a731eb88e5e6ff8390c7

SHA256
9ee75cfdc41ecd5efc32ceae68584b62c0ae1db407ee2901ca68fb7db96dcbd5

SHA512
43537bfe1dde8271098bfd65bfc343a7bba5e3e7bc6f10b84b92dc987287151f20f21df9c985826a0dbe43956af7f1cb627f86b20fddce06648f871de8a6b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst.xml

Filesize
2KB

MD5
a906835264485eae004a7ae51f4dba0b

SHA1
6773f3ef8539b884188592f721c3d65d5b4d9ebb

SHA256
b78a7829237c6a801e76e052d6f899f238a1ba3375270ecee1034bdccfca702e

SHA512
0f715083baa741d7835447a9e291a26411de71c20aacf30600d01822a1c65329b83b1cc486bfe280124e9e13bfa11b73b6c53d6b639d87aeea16bb5a1f213e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\informations.txt

Filesize
897B

MD5
ada76874191c4405a27f56a6c2921777

SHA1
cd59cece49b44ebcab0d2199fcb7fa9ede668d86

SHA256
bed3d4c3c475225172d1fdff1e37b129b16adaa029e7d74f1bdfc32d2c1d787e

SHA512
df919a44481769889429460e7e562ff0528b3881747c208c97d40515aa5561163545bf68f2f285ff2ae0f9f64f13f65397530e33bd71244fe9a34b484544b13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\lebin.dll

Filesize
181KB

MD5
1d083cddeddb26b23adae481cb8e239e

SHA1
d276e7cabe5b6d269de77188c2cb5041ea8653a0

SHA256
8ce586a8ace47e8aa5fdcafd887512db2d20f841feeea80a2a31d485c6591085

SHA512
16a5b80f593275deafb81b4cbf590476c323ba2010472dee51278b3f27fd9dba877029b705e3aadb14a41773dcf504be8f50c1d78f1c7d1e1168e6860f624a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\8288.tmp\logo.ico

Filesize
105KB

MD5
859c8dcb48e1168d82a863ce89618968

SHA1
d1b61aa9239e160435e8d5a728936cacaded4961

SHA256
c9dad6df895ebaf21a645e1a4b99c10331c2c941fc0fa56f6fa824664c996398

SHA512
bf2d1564ff3b5a68d0872cfa91a7012151e392a7c17a964cedc28a5043ac7b52f9af66829e6db8b8c117c524cb35541efb8844ac9ced79a78d7e0b073d6f72e7

Download Submit
\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst-x64-multi.exe

Filesize
429KB

MD5
52e144a879fc1b3ee8c3e2c4a000af07

SHA1
3a916a691f09316980f62f5d4a3653f1b371af2e

SHA256
9c22f5b1ab3ab72cd0b37c3de307ff7f21db2fdb99140d94dc7d30da070c6730

SHA512
e663dcb70ff649e5b5481f5d405758f1373fcb3a9eb29811fac9315907c7594e11f6781bcfe864bd3d9375c7adabdd75b6971fad2383e50227a3fc10db20de30

Download Submit
\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst-x64-multi.exe

Filesize
373KB

MD5
b358c8f3e69380a1c589f3e27f431918

SHA1
93868527729ae4cdca95fcde7d9ef1a7a1598b17

SHA256
d3d4d8a7f352dac33ee9bb1fe2c563dadaccc7751b2a76b83f5f02a8b25a037a

SHA512
de714a7f13b5603f3b27c5821113c6047b6b22de3b1d762cb43464cc9dd3483717115ef1b59aee20905080402bcf008ee74e4893c8e355d0d3e58efaffdcfd0f

Download Submit
\Users\Admin\AppData\Local\Temp\8288.tmp\dpinst-x64-multi.exe

Filesize
570KB

MD5
7892b662f977c68954c4d65ba447e3d4

SHA1
77e1bc913416aa16b3d922d1c1c084ff743eb799

SHA256
f6372718521ad09640adb745b284e2dbf1d0737329eb3d9e25aefd4c8567f61f

SHA512
54f36cfe39c8737f31b59acd3b037c883a7fd31f7bd37183732f6f7a9fd13197095ca5572b097dab28c76eb784373d96efe727268ab204fa3d0255dd2a60638d

Download Submit
memory/2516-0-0x0000000000400000-0x0000000000F8C000-memory.dmp

Filesize
11.5MB

Download
memory/2516-122-0x0000000000400000-0x0000000000F8C000-memory.dmp

Filesize
11.5MB

Download