c38f1fcf1a2d5b1cea2d24d47afdc38ca6b27e12436b94d038e0859fa07fd2b0

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

9ad5e1af79a62e164124c22ca3c7b7b8.exe
Size

2.1MB
MD5

9ad5e1af79a62e164124c22ca3c7b7b8
SHA1

1e8f831fcebeed49f23c30385754a816333919cb
SHA256

c38f1fcf1a2d5b1cea2d24d47afdc38ca6b27e12436b94d038e0859fa07fd2b0
SHA512

2ad93a78803083be49ff51bca4b323d7e77b8704fac5746b9730eb6db19abada8e4092fd8a6889499da7839360c61a818c8476e9592e34ea4eb203cae67b8f2a
SSDEEP

49152:BBf6E2IcUJWvCSvyXUhQoBjON/F247ZdTJ8u:PT2fyXUC2jQ/g47F8u

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe
2436	9ad5e1af79a62e164124c22ca3c7b7b8.exe

C:\Users\Admin\AppData\Local\Temp\9ad5e1af79a62e164124c22ca3c7b7b8.exe
"C:\Users\Admin\AppData\Local\Temp\9ad5e1af79a62e164124c22ca3c7b7b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd403C.tmp\ViseHelper.dll

Filesize
252KB

MD5
b0cd88d66cb5ba7a426277670fc72962

SHA1
1af9001ba6a16f8579b1b85b81e72ac26ad2954e

SHA256
56924ce7f365e4df121c91c61eb03a6404509e49b1556bebb480b7edf4072c7b

SHA512
df761bbcaa2d9fbcd3b7ca564dd1b092b9969c93d0e41f12b8e3a429bd6dd787dacbe8ce7502a5f5f49d9aa87c86880e1e77dbcc8df47a3a69b04aa6c67741aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsd403C.tmp\SetupHelper.dll

Filesize
52KB

MD5
bcc0fc146ac5958fc16a2d43fdf3aaed

SHA1
a40ca7d638cab23a47a35386ef097372fdafeb21

SHA256
4d8072399ff0042a40e016de11fc762adea5b97399ebf800e7c60d3ea82be246

SHA512
0a363953a4b27956f6badf72d14204403bd68cb97f6189f1f384d08a284b3e460df25f5b3e23fb3bb54c6dc81428a1efbe089f6961e878bb13d208f1d9b06910

Download Submit
memory/2656-39-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2928-40-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download