e0045407f10c384d0ad971cc3a721e32898552c20c90f8b20abbc6c36dd1118f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99701818f32f8f718f0e2230be814d73.exe
Size

2.0MB
MD5

99701818f32f8f718f0e2230be814d73
SHA1

d254e38329331cb4175a833a181c9c5a1457f95c
SHA256

e0045407f10c384d0ad971cc3a721e32898552c20c90f8b20abbc6c36dd1118f
SHA512

27440af963b8bb6e9ce0152f2129ca0b18257adbf78eb23663af7fbd931f7cfba44df5c42ee91445a4ddc37ae0e564db5e9b28440a0bfdd3593f9f859c93ef9a
SSDEEP

49152:0aBhyb24ymtKbrLV1XIShZvL1qpapTcZYz9ht:5BhW9Kb3Q61pZD9r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	99701818f32f8f718f0e2230be814d73.tmp
2816	rkverify.exe

Loads dropped DLL 8 IoCs

pid	Process
3068	99701818f32f8f718f0e2230be814d73.exe
2704	99701818f32f8f718f0e2230be814d73.tmp
2704	99701818f32f8f718f0e2230be814d73.tmp
2704	99701818f32f8f718f0e2230be814d73.tmp
2704	99701818f32f8f718f0e2230be814d73.tmp
2704	99701818f32f8f718f0e2230be814d73.tmp
2816	rkverify.exe
2704	99701818f32f8f718f0e2230be814d73.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	99701818f32f8f718f0e2230be814d73.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe
2816	rkverify.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 3068 wrote to memory of 2704	3068	99701818f32f8f718f0e2230be814d73.exe	28
PID 2704 wrote to memory of 2816	2704	99701818f32f8f718f0e2230be814d73.tmp	29
PID 2704 wrote to memory of 2816	2704	99701818f32f8f718f0e2230be814d73.tmp	29
PID 2704 wrote to memory of 2816	2704	99701818f32f8f718f0e2230be814d73.tmp	29
PID 2704 wrote to memory of 2816	2704	99701818f32f8f718f0e2230be814d73.tmp	29

C:\Users\Admin\AppData\Local\Temp\99701818f32f8f718f0e2230be814d73.exe
"C:\Users\Admin\AppData\Local\Temp\99701818f32f8f718f0e2230be814d73.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\is-299LQ.tmp\99701818f32f8f718f0e2230be814d73.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-299LQ.tmp\99701818f32f8f718f0e2230be814d73.tmp" /SL5="$40016,1757878,211456,C:\Users\Admin\AppData\Local\Temp\99701818f32f8f718f0e2230be814d73.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\is-FS218.tmp\rkverify.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FS218.tmp\rkverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CSM317C.tmp

Filesize
160KB

MD5
5ac09190daf249c3e93c3ac961067024

SHA1
bad9c0d552d54310f669d66b549dcada90583812

SHA256
f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23

SHA512
2a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39

Download Submit
\Users\Admin\AppData\Local\Temp\is-299LQ.tmp\99701818f32f8f718f0e2230be814d73.tmp

Filesize
841KB

MD5
91de3a18333a20c85530f9d81a13ef3e

SHA1
56d0a3402b0f441abf30c2f73a51da5d0dc1f594

SHA256
6e4d360cd0f8584a6f592b3cacc5f5f5c2138a33094deac6ad993b69c9dba430

SHA512
6be43ab54c47c13f06a847b95e5f1fcc2254bb873ebd437a7a00be0da0dd7e9bc0c3c998d9334623307d91256cde7a53694fbf0ccb422d939fca0ed1fbff6693

Download Submit
\Users\Admin\AppData\Local\Temp\is-FS218.tmp\FileDe.dll

Filesize
385KB

MD5
10bb1bda06871deb8d0506b4f6390b6c

SHA1
ac96f51cb1f1d9e341eca88b47a734bfb1e3f494

SHA256
0124f82f392a3156edc5380f28ac19caecc89682a7556f28a2172681d923ac84

SHA512
01afabb1f5458bf928787c69b4078f5ba738ff427989aa6a3775c8bac659f98b81e4c4acccaf093815afea7bad37bda0cfb07c088bac4eda2fdf149003e3aa62

Download Submit
\Users\Admin\AppData\Local\Temp\is-FS218.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FS218.tmp\rkverify.exe

Filesize
268KB

MD5
020ce95075f8c93e6cc957953d7f4589

SHA1
e192a200e36974b8e0637230a8cb5905090f7555

SHA256
df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3

SHA512
fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170

Download Submit
memory/2704-18-0x00000000038F0000-0x0000000003956000-memory.dmp

Filesize
408KB

Download
memory/2704-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2704-36-0x0000000003E50000-0x0000000003E60000-memory.dmp

Filesize
64KB

Download
memory/2704-38-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2704-41-0x00000000038F0000-0x0000000003956000-memory.dmp

Filesize
408KB

Download
memory/2704-47-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3068-37-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download