cadc8838c26a906f9dd9cfed178546e322f67f714d4951169482d781a07ffc98

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Respecialist.exe
Size

826KB
MD5

bcc1f12af6334f819cac261f50fc6f3f
SHA1

68ef28761831b5ce423b174549f78843a8ffcbaa
SHA256

cadc8838c26a906f9dd9cfed178546e322f67f714d4951169482d781a07ffc98
SHA512

77512f726964cb995f830bfab6aa7fbec3b3a5b270b08d57d4a0395a570aa5c3b6b3185bce9bb6baf4ccafcd6260a2a514282ec45f65d6ab93dac7ac5cda4f4f
SSDEEP

12288:zgOiqjFiNnytiTYG8ERU8Nsb9uF/5MkQ5HOKBAUhtHuuU69E:zgYFyy4c1EdsDOSAUbPR9E

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1808	Respecialist.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Proenzym.ini	Respecialist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1808	Respecialist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\fljetoners\monochrome.lnk	Respecialist.exe
File opened for modification	C:\Windows\resources\sjapper\Tolvtedel.for	Respecialist.exe
File opened for modification	C:\Windows\resources\sequoia.ini	Respecialist.exe
File opened for modification	C:\Windows\staalhaardt\stejlepladsers.kam	Respecialist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1680	1808	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1680	1808	Respecialist.exe	28
PID 1808 wrote to memory of 1680	1808	Respecialist.exe	28
PID 1808 wrote to memory of 1680	1808	Respecialist.exe	28
PID 1808 wrote to memory of 1680	1808	Respecialist.exe	28

C:\Users\Admin\AppData\Local\Temp\Respecialist.exe
"C:\Users\Admin\AppData\Local\Temp\Respecialist.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 28
  2⤵
  - Program crash
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy1660.tmp\Spahees99.lnk

Filesize
1KB

MD5
1741931ca1d5fdd5b1aacd8b29239790

SHA1
c89863beab16409dcfc8767975ded24aca9be269

SHA256
9fb991d6f1312aa15f8ff822accfc4c4cb7354b87ff46c62d830779230cc695a

SHA512
fb845c0102ed8566146150b501219222f50654a5a901ba045d3f1ebb33eb87ec00521307a3ba8e10bb330b31135a7d7636524a168b79dcdd9b625fb5b0d137b5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1660.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/1808-288-0x0000000077260000-0x0000000077409000-memory.dmp

Filesize
1.7MB

Download
memory/1808-289-0x0000000077450000-0x0000000077526000-memory.dmp

Filesize
856KB

Download