f64de4aee0bc21db63da573ccb97b7d9a8d1e8dfc29bef72d8c8f26c4ec640cc

Analysis

max time kernel
133s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/setup1.exe
Size

397KB
MD5

a2d36b591513af7aa3d7da01c2ddf432
SHA1

2df8641ff14ec3f4025b8f7c2034295f6908e7f9
SHA256

047653b99298bdc44984d44da351f2194bc11470f376d5357f3f9227362b29e9
SHA512

36daa729dd3b078c65cc6b62d3f437cf83b8c42a9d2fc81fb1071457ef66c7ef365f66ca5cff0f18b5cd2d040a082a3fc48a7c78bdbb8b4051c71fd4249e8116
SSDEEP

12288:X8xon2wpGX9NHqhs2AMYXfLEPl7OTkjwhT:Xen9ghs2KXTaOB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1856	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1856	setup.exe
1856	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1856	540	setup1.exe	84
PID 540 wrote to memory of 1856	540	setup1.exe	84
PID 540 wrote to memory of 1856	540	setup1.exe	84
PID 540 wrote to memory of 1856	540	setup1.exe	84
PID 540 wrote to memory of 1856	540	setup1.exe	84

C:\Users\Admin\AppData\Local\Temp\$TEMP\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\setup1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\F4B0\setup.exe
  C:\Users\Admin\AppData\Local\Temp\F4B0\setup.exe 00010802
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F4B0\cdnins.dll

Filesize
136KB

MD5
0e7188429734bf5d7cc7111bc8b963b1

SHA1
e7441f709aab17b4ea13580b3bb5b32425dc0a92

SHA256
b5d9f15b7b4805f317be51641c1226708d96f6d257889c6275429f1a9a4eae14

SHA512
d0eb7728f1820c3a325012ee9b3e3d4b1a7db7ed44da870616b02be549264b22987547352a9a4fa542cf3f37e12423d71c28a480cc6bc8b7547dab6805e499e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B0\cdnprh.dll

Filesize
72KB

MD5
4152d00fe6e6fb2637f6207571a1eb63

SHA1
bd433d41d04711b76084e996c5dcb753100788e8

SHA256
37b8420ef45e7cd6c1426388411beb301a2b2e59d8e83a68d0fcf06e4d7df6a2

SHA512
ced579aa67009aa30fe0b54fc8a4fcd7f0aa3b8679e65f9fc52a7fa1f020e31f23fb8d579466ce1985b4ead02275f2b7af757a18f66bf7654fcb4d9abb2449de

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B0\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4B0\src.dat

Filesize
162B

MD5
82373e27577e0653bc9609b052af09b5

SHA1
b80d789a68a03517c1e6fe17c9a0524ac98a356a

SHA256
bd6cef7f43b8286301f1ba29cd82456ee0995ca80e2e49eeac8d131e1af15398

SHA512
1a04b5e7a0c25d331e02d3c33b016a5413f43dbdc2f7ac1e1d936fdfa34a8df38815dfb6c25bbaf60936d06074fc2098e3d772fcb33eb48f9662992e7988ff49

Download Submit
memory/540-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/540-28-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download