c5dd4ec8e9289ba9b2accd88f250b14acfd179e761edc733be9d2c27d52a2d44

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a391001082534e789e9b3e0e8d74e946.exe
Size

3.6MB
MD5

a391001082534e789e9b3e0e8d74e946
SHA1

1c6549210458111c1b3a1888bd8216d90ffaa553
SHA256

c5dd4ec8e9289ba9b2accd88f250b14acfd179e761edc733be9d2c27d52a2d44
SHA512

b69c2ed79256e374613333c52f13d701f0e29043deb64fe2a9d90d085029c274c282d881d4b6a90dd5b8dedb954e7842da3f26f618f0270cb4f58cf2ca4757b8
SSDEEP

49152:4wdjcIDXuTGNMmwMAOz/I2i1g6McpSPJkfKTckGaFE2jTpSBxVgKaPHtqPQLhJaC:40IISTMj57I2Yg6MRPJkf2bFjTE5MHaC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1300	is-J00S5.tmp

Loads dropped DLL 3 IoCs

pid	Process
2060	a391001082534e789e9b3e0e8d74e946.exe
1300	is-J00S5.tmp
1300	is-J00S5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1300	is-J00S5.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28
PID 2060 wrote to memory of 1300	2060	a391001082534e789e9b3e0e8d74e946.exe	28

C:\Users\Admin\AppData\Local\Temp\a391001082534e789e9b3e0e8d74e946.exe
"C:\Users\Admin\AppData\Local\Temp\a391001082534e789e9b3e0e8d74e946.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\is-HHT66.tmp\is-J00S5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HHT66.tmp\is-J00S5.tmp" /SL4 $30144 C:\Users\Admin\AppData\Local\Temp\a391001082534e789e9b3e0e8d74e946.exe 3547154 51200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-FUDDQ.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HHT66.tmp\is-J00S5.tmp

Filesize
608KB

MD5
05c57033a93b8661db64e196a39ea6ac

SHA1
f8af229865df706da976f89143fb11f8683cf3de

SHA256
03f985e829d1ceaa2e0b8023756114734e0be6ad92dfe1159e5483cb6f5e056f

SHA512
c20b6edd0ab691d527f00a56cb3457b2c33b5634ebf77097766760d17803381bbb25fed495c8de8310881888fe32e0a8d8c60335262d6c2ba158222b79887719

Download Submit
memory/1300-15-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2060-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2060-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2060-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download