c695c23b06fe4ecbe888a2f937ab7cb2e67465219dbbcf3bbd18748b9accf73e

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 17:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

570481b43474f26ffa169e52c68e347e.exe
Size

319KB
MD5

570481b43474f26ffa169e52c68e347e
SHA1

4d6325037ec9534f1a7045f1e602566977b17f25
SHA256

c695c23b06fe4ecbe888a2f937ab7cb2e67465219dbbcf3bbd18748b9accf73e
SHA512

6bb8e1c4cca6691c73a12fa394bb35f7728c5b44ea7a3155fdc828c2bd1949e7e90de9b029e5383ea39b94141cf055d4a7863364c4ec7950794a6586d6ea0d94
SSDEEP

6144:So4UpXWoc0vqHIwebkPRSGMznXzvcXYRsCei+Tt5+JVfMnAWmcFuz:nGocwMIfOShPvcX4sCX+B4VfMOLz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	xantacla.exe

Loads dropped DLL 3 IoCs

pid	Process
4268	570481b43474f26ffa169e52c68e347e.exe
4268	570481b43474f26ffa169e52c68e347e.exe
4268	570481b43474f26ffa169e52c68e347e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2848	4268	570481b43474f26ffa169e52c68e347e.exe	89
PID 4268 wrote to memory of 2848	4268	570481b43474f26ffa169e52c68e347e.exe	89
PID 4268 wrote to memory of 2848	4268	570481b43474f26ffa169e52c68e347e.exe	89

C:\Users\Admin\AppData\Local\Temp\570481b43474f26ffa169e52c68e347e.exe
"C:\Users\Admin\AppData\Local\Temp\570481b43474f26ffa169e52c68e347e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\xantacla.exe
  C:\Users\Admin\AppData\Local\Temp\570481b43474f26ffa169e52c68e347e.exe
  2⤵
  - Executes dropped EXE
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\nsJSON.dll

Filesize
23KB

MD5
311f1c457421ca059b31ccc375dc4168

SHA1
f7ac5e383fcae4facf7f16e69d909f181089edb3

SHA256
a17f2d61b8045741af80c656baa4e1296a9a2bbd5f0dc90a55a7389f4c1c177e

SHA512
e45d944b156bbe7f0056945d0ab3628f59f93ef772ad650d9e6dc757d4674b0a1b4a71c586799f2f0f913b5655a831f24acea65e47312c3de240c2f788f07d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\xantacla.exe

Filesize
805KB

MD5
e81da49347a19887383586b85608963f

SHA1
0971b54543ee145e952b1f88c6ef8130fef60345

SHA256
b177a214c3e6ed29948d9e76755ff2a1238aee69dc9f35e298093236af4c6ff2

SHA512
5f51ee4175f09297156c9358d876c09cf04255a03f15ee3e8930a9b6d33a858a135883e742f77599c38686addbceb877e6096b47597b2eaaa98811bd7158b16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\xantacla.exe

Filesize
512KB

MD5
bd890806b6b11f821cd9e0eddb40aea8

SHA1
c0c5a00a69a322800109f4689f14cb75de492007

SHA256
5bd588635ca3164d112590a129c137fd494e324bd0c2ba516bbb840f8cc832cc

SHA512
4d260a1d030bbb6fcc298b286483718a724fb20b8d3b00886ae991ea07ed9100cb7bbc3c3a9b428d84f47beaefed297c3f0d32fc19159002513147c3ee809094

Download Submit