83d89eddb8098b424756a8bea9764b9a2699b7aefd883909eace7e3a358e04ed

Analysis

max time kernel
140s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExamDiff.Pro.exe
Size

2.9MB
MD5

533c8eb8f72d359822d4e92d227f3404
SHA1

2b8bddd0f0e03b5e42fe1d414abe308e2d0c80d4
SHA256

95a90fab67614efe1748e3ceea05cbc5fae95c85f2f47743fc078ade78207da8
SHA512

01372d560402ef784448b6b4d2ec755580d54300caa731dfd7a5a65df1f4aebdb61b36d2fbc622a9908fdc94631eb576904debe810d78983f4603e0e56a76660
SSDEEP

49152:dG/Mny0++uIaC6LDGbLoLuQQIVGAlwoS/kJ2qmWLuMIkbqPdpo2ApQUIx83oxl0u:4L0+XdC6LKoxIo7ppuMoj0s9T5VRF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4468	is-NP6NT.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4468	3544	ExamDiff.Pro.exe	16
PID 3544 wrote to memory of 4468	3544	ExamDiff.Pro.exe	16
PID 3544 wrote to memory of 4468	3544	ExamDiff.Pro.exe	16

C:\Users\Admin\AppData\Local\Temp\ExamDiff.Pro.exe
"C:\Users\Admin\AppData\Local\Temp\ExamDiff.Pro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\is-6BAGM.tmp\is-NP6NT.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6BAGM.tmp\is-NP6NT.tmp" /SL4 $70206 "C:\Users\Admin\AppData\Local\Temp\ExamDiff.Pro.exe" 2815984 52224
  2⤵
  - Executes dropped EXE
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6BAGM.tmp\is-NP6NT.tmp

Filesize
656KB

MD5
d07663a3543b51cc749a61725fe2a96e

SHA1
7882912ba30b6b5e0b127d643a8116a22a1e5036

SHA256
cf116e77f36469b510f0eb8ba6377bfa756f12513120168fb5a19665324357b5

SHA512
cf21d16716cde72043d38ec94c8a9fcf7a69d79e84b6f3a7140f733731fe5ceb5de76cc4b305e913600614ff007973ac10251cdbda09b1df5521821d0886743b

Download Submit
memory/3544-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3544-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3544-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4468-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4468-17-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download