e3737932f2067f8a817956844a4d3bdc5084ea268e8b6c4a6d4d53be5dbb0ae8

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d015d9b4f83b1882c05f6affd523dc.exe
Size

1.2MB
MD5

77d015d9b4f83b1882c05f6affd523dc
SHA1

8eb0ed09ec7a5e6dcdc681a532f8867c6f19e1de
SHA256

e3737932f2067f8a817956844a4d3bdc5084ea268e8b6c4a6d4d53be5dbb0ae8
SHA512

15b9c8364b608f9b1d31e2ea9ede2760bbdbe05f1b86f96c0b7371c8fd74d879dd2087ac6895bd0e3455126aa2ba04e16c7ef1dfaa063dc52028abd29a019677
SSDEEP

24576:L20Ndjxn9JJ0+UqzP0VWDeP5OKrdDwOwhR7fF+r9AgY7rmvZf5/I:L2KjJH0VWWOLhBfF+Z7ECvTI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	77d015d9b4f83b1882c05f6affd523dc.tmp

Loads dropped DLL 3 IoCs

pid	Process
1272	77d015d9b4f83b1882c05f6affd523dc.exe
3040	77d015d9b4f83b1882c05f6affd523dc.tmp
3040	77d015d9b4f83b1882c05f6affd523dc.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	77d015d9b4f83b1882c05f6affd523dc.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28
PID 1272 wrote to memory of 3040	1272	77d015d9b4f83b1882c05f6affd523dc.exe	28

C:\Users\Admin\AppData\Local\Temp\77d015d9b4f83b1882c05f6affd523dc.exe
"C:\Users\Admin\AppData\Local\Temp\77d015d9b4f83b1882c05f6affd523dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\is-IHKFG.tmp\77d015d9b4f83b1882c05f6affd523dc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IHKFG.tmp\77d015d9b4f83b1882c05f6affd523dc.tmp" /SL5="$400EC,1014761,54272,C:\Users\Admin\AppData\Local\Temp\77d015d9b4f83b1882c05f6affd523dc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0S0J3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IHKFG.tmp\77d015d9b4f83b1882c05f6affd523dc.tmp

Filesize
680KB

MD5
e60a74a65005e4c4f61cbe9c09d368df

SHA1
1d649b2ab5e08632d64e23f5f9e5675b68e184b4

SHA256
78f6692d50d07bd78a97294d196f9ae7d1fc48b058375e5d7bb766970faab758

SHA512
a73b84739f4da0827976cf473e63ba3dc7649ab2d37be13c8fb786487d0dc7ef5b2bd446d8c745d75266447357bde4f32f58f1f1c92b156f06f141fea2873856

Download Submit
memory/1272-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1272-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3040-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3040-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3040-21-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download