16c6c677c0b48b4a8549a69c7301a31a867437f7d57e13eda1cd72ec0b756015

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b7b60d97aae2f07063ab7d27858f94.exe
Size

74KB
MD5

43b7b60d97aae2f07063ab7d27858f94
SHA1

188529696669df9f85e50f9dd3a345d58d3c617e
SHA256

16c6c677c0b48b4a8549a69c7301a31a867437f7d57e13eda1cd72ec0b756015
SHA512

aa3824b4eb7b2001824f92b85f9c41454eed98d5235ffdfde7893f6315c5115b477dfda00e710f3995aa1211762d417278f479f7bb039d25e0006f01665badb9
SSDEEP

1536:5oLDYsacy7mHMowHjXJuF5sdiLZVgHrmyvgHiHzb7ZXdlihh:5oPyys5jXJuF5ZLZWHrmyvQh

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe
2220	43b7b60d97aae2f07063ab7d27858f94.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	43b7b60d97aae2f07063ab7d27858f94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2808	2220	43b7b60d97aae2f07063ab7d27858f94.exe	29
PID 2220 wrote to memory of 2808	2220	43b7b60d97aae2f07063ab7d27858f94.exe	29
PID 2220 wrote to memory of 2808	2220	43b7b60d97aae2f07063ab7d27858f94.exe	29
PID 2220 wrote to memory of 2808	2220	43b7b60d97aae2f07063ab7d27858f94.exe	29

C:\Users\Admin\AppData\Local\Temp\43b7b60d97aae2f07063ab7d27858f94.exe
"C:\Users\Admin\AppData\Local\Temp\43b7b60d97aae2f07063ab7d27858f94.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WScript.exe
  WScript.exe C:\Users\Admin\AppData\Local\Temp\Temp\O1g8x0hNmuP8rEYuJjIAq1g8x0hNmuP8rEYuJjIAq\310714_is.jse
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyA288.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA288.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA288.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA288.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit