dd0b856cfae3e47857fd9b02e8704fb47b2cc7d7b5419709bffc3ae1f9fd3e33

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656eb12e066611facea04c07829c6463.exe
Size

1.6MB
MD5

656eb12e066611facea04c07829c6463
SHA1

081f1246067d9357dc14746d9f485ab6ccefe3e4
SHA256

dd0b856cfae3e47857fd9b02e8704fb47b2cc7d7b5419709bffc3ae1f9fd3e33
SHA512

f8a150df2f3393f899d0ed9fadf2447cb6d5a5182fd02f347ac165dbb23143d011c1e2ef78d010955d80ef62dfb062e95e308a658d86bab688bd8f175f115a3c
SSDEEP

49152:j2fp/YXq3wH+WpBaR7CRqrTJX7jExnDe7G/aQ:Kfp/Oq3wRpgFrV/Exq76

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1904	Stp4B70_TMP.EXE
5012	Stp4B70_TMP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3656	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1904	1964	656eb12e066611facea04c07829c6463.exe	89
PID 1964 wrote to memory of 1904	1964	656eb12e066611facea04c07829c6463.exe	89
PID 1964 wrote to memory of 1904	1964	656eb12e066611facea04c07829c6463.exe	89
PID 1904 wrote to memory of 5012	1904	Stp4B70_TMP.EXE	90
PID 1904 wrote to memory of 5012	1904	Stp4B70_TMP.EXE	90
PID 1904 wrote to memory of 5012	1904	Stp4B70_TMP.EXE	90

C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe
"C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp" /SL5="$401E2,1335752,53248,C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE"
    3⤵
    - Executes dropped EXE
    PID:5012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE

Filesize
396KB

MD5
2ee8803ef421850dfebf83ff04b916d3

SHA1
8c6cea0f477ee6024648b1427ed62e941a62605d

SHA256
521074200b80d9cd8cc196a809ec6e2a1b9d9748c2df9bc5da3dbeb785bbd366

SHA512
d5da440ea624ccc686fdd9bf951453c8f543b5de53ebcc0b4095ce9476f17d5c16bc9352337ccb1b6f3ed3e71f0b62805d2d6cf3966e8f16268bc10022e7ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE

Filesize
379KB

MD5
63dea55ab1e6ab5fbb33d3b1c4331c20

SHA1
a93ee54f23c83db546bbf81d6b4e0888624a9f0b

SHA256
5c3b7c350b6d851206f5329df8c6a08ef07202e2a8c9025abbca14c926bed061

SHA512
cddf99125e1ff846bf41b0c0c137714773ae665bf947fb4e5e313a63aad35d93866a8fa2fd77dd53af82e3ce888acab9a130e25fea8f17fa9ff924d6b4fdb54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp

Filesize
510KB

MD5
966515ef6229739f8e2ddd4df01ed33e

SHA1
57044f315cfe15c27c5df29435f77309a69db383

SHA256
4646bef319c512472c3260a1a1c8bc9cb58391741bb6901c9cb3462063feee2d

SHA512
95b778f1eceac840074af6434e10880f037902d50d9aa88f9a4fbeea580d1bbeabac364ec4669f0488f53f0fd74a441837a2d126b67814231c903c15a330e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp

Filesize
568KB

MD5
4da4aa4324390073cd22424e4c9341dc

SHA1
8f891c77fbfb4b7a8b6195d62f50fb2078a73ab0

SHA256
2841d17f76a9649669f929a69ac57057fcee625fb8d3fc33cd7177dd31784ce5

SHA512
8734a94de9f0d46c64f0092f6e4ca1cc57453787ffefc45d2dcc7fca73bf5416a39a34a94ad64e739e70056ed451490e7e71c855c10b7a7eff49793450e02d4a

Download Submit
memory/1904-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1904-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1904-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3656-62-0x0000023967660000-0x0000023967670000-memory.dmp

Filesize
64KB

Download
memory/3656-78-0x000002396F9D0000-0x000002396F9D1000-memory.dmp

Filesize
4KB

Download
memory/3656-80-0x000002396FA00000-0x000002396FA01000-memory.dmp

Filesize
4KB

Download
memory/3656-46-0x0000023967560000-0x0000023967570000-memory.dmp

Filesize
64KB

Download
memory/5012-11-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5012-21-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5012-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download