9adb99e8650bab9e07206f93d3ef23984395a12c9c6dd17dc34823c12aa034a5

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64fe4105b1f43044606aa234e9a1ab61.exe
Size

492KB
MD5

64fe4105b1f43044606aa234e9a1ab61
SHA1

3ae1e0a97b757d6617abec1c84f3666abd8fd186
SHA256

9adb99e8650bab9e07206f93d3ef23984395a12c9c6dd17dc34823c12aa034a5
SHA512

ce2d2afbe02959b19964829270554215e10ee2f497a79b6702ef5cf8c26c44f502993396e00685e48564caf17cbedcd5e3b361bb2b8a73d705d381129757c623
SSDEEP

6144:BME1nmg1tDbJ5621YNzigK30Y/xJS4AGgnVUdLrgg81gxaJZ6b1XHZZTHaOTfFDq:ugnJzRxJXA5Sngg84b13TV5ON

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1820	4mv5.exe
2780	4mv5.tmp
2788	a1x.exe

Loads dropped DLL 9 IoCs

pid	Process
1732	64fe4105b1f43044606aa234e9a1ab61.exe
1820	4mv5.exe
1820	4mv5.exe
1820	4mv5.exe
2780	4mv5.tmp
2780	4mv5.tmp
1732	64fe4105b1f43044606aa234e9a1ab61.exe
2788	a1x.exe
2788	a1x.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\is-2T5A2.tmp	4mv5.tmp
File created	C:\Program Files (x86)\Messenger\is-BEITE.tmp	4mv5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	4mv5.tmp

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1732 wrote to memory of 1820	1732	64fe4105b1f43044606aa234e9a1ab61.exe	28
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 1820 wrote to memory of 2780	1820	4mv5.exe	29
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 2780 wrote to memory of 3012	2780	4mv5.tmp	30
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31
PID 1732 wrote to memory of 2788	1732	64fe4105b1f43044606aa234e9a1ab61.exe	31

C:\Users\Admin\AppData\Local\Temp\64fe4105b1f43044606aa234e9a1ab61.exe
"C:\Users\Admin\AppData\Local\Temp\64fe4105b1f43044606aa234e9a1ab61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\is-U48NP.tmp\4mv5.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-U48NP.tmp\4mv5.tmp" /SL5="$6010A,61265,51712,C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Messenger\messenger.jse"
      4⤵
      PID:3012
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Messenger\messenger.jse

Filesize
13KB

MD5
c90e8e4c3ef4aaddf0692028ac2b73e3

SHA1
72240eec4de9f1865a91ac64bc3503ba6bf14f1c

SHA256
b7ef4d14eab14f133e61f7582b4120a1b8b576dcddff46959255d857ba66efb0

SHA512
a5b6cd61d58f9a12e21dd2c5bfbf796df37f71df20c6be17fb5ba88885091ebedbbc49d8d76f0d7deb1f1f067735b4a118dc6d83c049ba0b93b8296c82839f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
171KB

MD5
3b65ec6b479ce7d4cb596aee35b6ddbc

SHA1
96578f97e43fc78de2d000cb8f46262284e07a16

SHA256
257610fcdb5370e045b451283a0a2ff9a86c058dbf4e332501707bc21dcc7572

SHA512
b1cc55fe23a2b065dc8872fa43a7019c9009421023dc45672ef6553ffea135408112bec294d49afcebaf0979aaee497419a1b8e42ecc35a99175cb3dde6f2211

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
171KB

MD5
d3401738916e5979d71d27bf24b6db53

SHA1
a42d8a3c643becbf50de2ef56bdb98bf5c15d116

SHA256
57f2b53ca6d1189c52bf0bdcdfe1f62bca0379a63aef6f8e7d4b0edebab659d0

SHA512
b95ce2b0e8f522de9fd7fe36c5d43ae64aca1a199c722a3b9d349dd0d7b39d0fcc60635bbe4b0b85f15a76b8c085fe6a283f55396a195553d4c6ccf50ef15de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
149KB

MD5
70f8371cb19b7140d5ef1d0436107e0f

SHA1
96aa8dca87c6e93ea85da1107497c03582ea0e87

SHA256
9c957c0fcd838ba6706333483a8c22188314aeb6ca0a080cf618323b8adba121

SHA512
ace42abc51e813a1927846c1f09c12cdd5dce8d1f40af313c86fa4ee771765e14a0447810ed20b3adb68174ab65b66ec3a4c4496e65dc04ae67676f9e9230fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U48NP.tmp\4mv5.tmp

Filesize
51KB

MD5
8d9b2cfdda35baafdb1b8694534bc38e

SHA1
ff35acbcddde95033bd49d44822e6d88f1b9ee49

SHA256
31a7d468196afc48e6d1227fc9dd79e096d3b70ca1da2102fcb46c357074206e

SHA512
63292050833d0cacdcec471e02e649729f848fb222bc1cdb7647e5cc09bffb58dd20d0b24acd9b4655ba99ab0b6bb9f31b84b1730d552ad20b89f7707689d524

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U48NP.tmp\4mv5.tmp

Filesize
49KB

MD5
d8e84ce96659cf2e931eb49691f4c912

SHA1
45325e3e61d50b60f1a5dff580d89836892bca6d

SHA256
159d7030590ec60a7c2320d43bcd1dc2db76e8c0694e6fd5c8c594dd1756ad2b

SHA512
18dc85bc4b12050d5a860743fa756f85cdd249a70e58d0e5fb5dae1784e42597286edbb91b82f68a94dfceeacffa9b197c24b0037f385be93450f9390ba7c32d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
237KB

MD5
ffbe5a4fa7ce80b996f5c9704bee0818

SHA1
a26e6c2597df0308815d8bf3fa9ec21f76595c4a

SHA256
f5760de02858869e29600df7905d4adfd8c6ec5d24e9604ce018267c1bcd238f

SHA512
bb1e72aa2661bb925930c8c2681f33ef3f273b43fcf664deefebe9b35c74efaa5cd381925fe9fc676887c0160f776fe1dc874e548125b3dd2a0f20270d211b14

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
132KB

MD5
d548bf62da5a01a75922ed27afafea70

SHA1
234473519c0d4f65e3506806dbb1e623faf26ded

SHA256
0e421787673af65b0b40b4a1c5b69e2adfef80f78cbce08c6f0c4f6c0bd2e96c

SHA512
89a6ef9fb1fe34d053db058988de6ae78a3bf9e3c113564d390dfbd9aff66b8696ed42336d0297928ece76d1159dc2f753184aff2462e2bf06b415fd76f37064

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
275KB

MD5
a269c914271194b906fb404612932b40

SHA1
ba5176a0c3bc914341f2c6532add0604d4cd46cf

SHA256
c4991d6bc2c6154062248c16bd9e824c90e34c0bbe3b8658135d4148b58a7d81

SHA512
cafaff274c7cca87d6e64d0cb58152c55a1e8a1d223bddd7e895066639e38ecf1981626c281a4208c4d649ecfb86c8529ad7fb69fdcb0b72d9d9cac1d062d57a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe

Filesize
102KB

MD5
4c2db3eca26e374ee8975e1215665a59

SHA1
d1d3026787fbe3ad486034cd382b33a0724ce5c3

SHA256
27dc589c6aa4c6d4f8d32c823d9a9f0a458124caa88c994cf585a3e4985003b5

SHA512
7228a9181bf366ec929b580622b1cce90760cedc726a7ffcc87c29a65f4d8bfa8202640cf6cbb41b0a211d374867ac3634e866da5fa5a3ffa21ee4e459165199

Download Submit
\Users\Admin\AppData\Local\Temp\is-QT971.tmp\_isetup\_shfoldr.dll

Filesize
8KB

MD5
f1de65222a085354a74ab7afa3ab76ad

SHA1
dbef4f489ab64f1f1c96a3b2df29bde653e1df40

SHA256
9bda0a6a3f2033f47ea67d9e752f512f97b80ca12f4250f5fedc79a631d56bdd

SHA512
bd9375d36bfeda313c1f9b6454a513fc6822f3c1010a4bbb7c9b9557726183abb3e3261c41126fb97fe98ce8853e1b9183461fc3190b2103ce35a8e2fa7bba93

Download Submit
\Users\Admin\AppData\Local\Temp\is-QT971.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-U48NP.tmp\4mv5.tmp

Filesize
11KB

MD5
0a30ca6b8d2ab9895a0dece4ba7b6e0b

SHA1
cfcacae72a4c5b7aaa3c97336d577e60f4293bc4

SHA256
7147258b2e748373ffe863593ffaa8685c85f090704e6df6c1a432be9a8e011d

SHA512
a156ea13200ed959aa83885bc84e895d642f510ee39391cb8e8bd92a4ebcc4d793ddfc6efa99f72775a02d7e9baa75c268457dca7d0ab683f1b7806f1ecb2716

Download Submit
memory/1732-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1732-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1820-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1820-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-39-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2788-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download