d4a153ba4d31be2990e95f2cbf203f75a5756ff8905bae575d7c5b503f7abb70

Resubmissions

19/01/2024, 17:33

240119-v44ffabbh8 3

Analysis

max time kernel
51s
max time network
38s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
19/01/2024, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

mi.rfc.url
Size

209B
MD5

9b801fd0911f1987d1731532993fa28e
SHA1

b99e631f2f6982da917b1ad4574a4dead8375639
SHA256

c0cbd9c9e764a5f8254e4f8f8de64402884f77bccea1b7ce23c485e88d809351
SHA512

29f0719ccba58de720d56effd0ea48ac450bc4d394c4cc25c7741f4448244e42cefc44719be9eec18e9b6964e48c1bba812d7fc04d947e124b9cfd5998daae53

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	sdiagnhost.exe
1956	sdiagnhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2560	msdt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2184	4124	rundll32.exe	72
PID 4124 wrote to memory of 2184	4124	rundll32.exe	72
PID 2184 wrote to memory of 2560	2184	rundll32.exe	73
PID 2184 wrote to memory of 2560	2184	rundll32.exe	73

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\mi.rfc.url
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF2219.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF2219.tmp" -ep "NetworkDiagnosticsSharing"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2560

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024011917.000\NetworkDiagnostics.debugreport.xml

Filesize
68KB

MD5
50d8d34ed38dc87a06e753132eac6196

SHA1
942fcc48e77ddca43ab4927b33af00e62ee7ed2b

SHA256
305f2bca9e1544692b0da5a020819d61aa89646cb30767be1bd586a4a94c16d4

SHA512
85d3d22a9a1f919308c5239215dea2f8b3316e998ca4c3e2855f9adb132c8b3fe30509a060a1820275c2ec0255ad006ca9cf1b3741e459f59e12836d680d51e1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024011917.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF2219.tmp

Filesize
2KB

MD5
4a8b802084ba3229dbe80625884b09a6

SHA1
97671867a9ebb75833bcc64ebb6fa72fc607b372

SHA256
d39dd362e53ed5a2e12cf2e2b1eb4d0b62f5835e863a724d5f3431117be681ed

SHA512
3df46ee294a95b8aa3fe213d5d5660de6adf2988fabb10550afd49d8821400b502ac9ad9127b5c7831509bc383f8b4b302dfec776736b4afbd44e1ff7c857a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2ly2t2x.of0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\TEMP\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
d18dd3c5d111eecbfec65251d357f3c1

SHA1
5cec3df9e5f7fe3ea0d7226e1461da2de2fad900

SHA256
fc9ce9f57cb224d13ea1b973fa084e8f7fd00dd172d84b7c14e31085c58fea5d

SHA512
6ce2eac565c0fc921f07881c2bb64ba73c670562a8b86456d718c1a75ab6097f623d49a608aa984075d1d764dcdca9b1cd95704f6bf817e7b1081b7b5ae0a7ce

Download Submit
C:\Windows\TEMP\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91e3038ec5ddc6a0924607b192117a68

SHA1
af46db32086ddd72fbf759ed136f7e66ad5b5b43

SHA256
7e23e58cc90aa265464cb2f5a9da9f2a04ba2541e84ab26a052cc17155a91080

SHA512
fc745c310d0157df2f588dc4f9b991c484712f7935b6e4128e02433c2a2b9cda2daf959af006f63c55a5a9a4e0c8e4caaa4c86d7a65a626d55822097dcb7fd84

Download Submit
C:\Windows\Temp\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\DiagPackage.dll

Filesize
478KB

MD5
b41a1b66b931cd9eec462d4ebc0b7882

SHA1
c7cc141475040cb310a54644dc9b31bab611ae17

SHA256
053d37c266c78a37606bf3afc12434e2a8a506929659f39f49b730c434f29351

SHA512
cdf8121535b0454e5d1cf8303865e74a0aa339f27cd9229656cd7e4e95735eaaf7670805d770b3a915799f9c86099730656397069e92847f17996b924895f57c

Download Submit
C:\Windows\Temp\SDIAG_c01708c3-a689-488f-8c86-66a6b4dd240f\en-US\DiagPackage.dll.mui

Filesize
14KB

MD5
8703029bba82e646f86aac7fdf7cd565

SHA1
865db3122262ad8796b27c5329eadebb4108c82d

SHA256
07cc054e7cb7eb5ebc67ccc923e1d92598d1f7f525fdacfc08260b97b6a4ac26

SHA512
af493f1cb6522d888ec1f6e4190613a9372485f7230ee7e86ceeea91912c78c44e559c49a80053e90de895d69fe52bf719f389b6f16f0c349bc48b9899fabf9e

Download Submit
memory/1956-372-0x000001B2ACA50000-0x000001B2ACA60000-memory.dmp

Filesize
64KB

Download
memory/1956-378-0x000001B2AD7C0000-0x000001B2AD836000-memory.dmp

Filesize
472KB

Download
memory/1956-519-0x000001B2ACA50000-0x000001B2ACA60000-memory.dmp

Filesize
64KB

Download
memory/1956-376-0x000001B294400000-0x000001B294422000-memory.dmp

Filesize
136KB

Download
memory/1956-370-0x00007FFDB24C0000-0x00007FFDB2EAC000-memory.dmp

Filesize
9.9MB

Download
memory/1956-599-0x00007FFDB24C0000-0x00007FFDB2EAC000-memory.dmp

Filesize
9.9MB

Download