23c89e579e975b5ba46b819041c75db726d767856b368a00fc4f02449926568c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc37b3ee1a472909dba1a431a4b04ec2.exe
Size

285KB
MD5

bc37b3ee1a472909dba1a431a4b04ec2
SHA1

b5fb80e3a838275ca91a3df36360adb7a71b1337
SHA256

23c89e579e975b5ba46b819041c75db726d767856b368a00fc4f02449926568c
SHA512

b88f47cfece75a00fb04445b682effd30eabc26e88ea3041a9fe4404c647a7c00b0d9c43a22cb916bd0f743dc6591e4c29f0068db06f07e18c40c68a2fc3858f
SSDEEP

6144:NGC7W7BU5nMqKGqcUz9PbMpbLnTs8rejIaYrc5RjQjcvFTMlWXKYR:fa7gMqKGqP9DMpbLnTfaSc5HTMlWXK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2728	lzma.exe
2632	lzma.exe
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe

Loads dropped DLL 19 IoCs

pid	Process
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2728	lzma.exe
2728	lzma.exe
2728	lzma.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2632	lzma.exe
2632	lzma.exe
2632	lzma.exe
2044	bc37b3ee1a472909dba1a431a4b04ec2.exe
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe
2056	bc37b3ee1a472909dba1a431a4b04ec2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2728	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	28
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2632	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	30
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2044 wrote to memory of 2056	2044	bc37b3ee1a472909dba1a431a4b04ec2.exe	32
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33
PID 2056 wrote to memory of 2616	2056	bc37b3ee1a472909dba1a431a4b04ec2.exe	33

C:\Users\Admin\AppData\Local\Temp\bc37b3ee1a472909dba1a431a4b04ec2.exe
"C:\Users\Admin\AppData\Local\Temp\bc37b3ee1a472909dba1a431a4b04ec2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\lzma.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\lzma.exe" "d" "C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\i1hqkyLh.dat" "C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\pcftl3ciAQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\lzma.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\lzma.exe" "d" "C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\q2gyEFqq.dat" "C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\CommonsDll.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\bc37b3ee1a472909dba1a431a4b04ec2.exe
  "C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\bc37b3ee1a472909dba1a431a4b04ec2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\CommonsDll.dll

Filesize
253KB

MD5
56d1646a9d660c665714305a98289b44

SHA1
f5df0e879f63bbc6f42d13505d65f00be4396be6

SHA256
78ec302df29d2393c233a9bf301f1536c51b8279ee9166ceda4f9efaca18c240

SHA512
5bb580ab2fa43ccbfe28d32d04e0d2083f2fddf69f089c7b697012579b21cd2b37ab7fde4179da67cf6680ecbe8b1a5165d26201bc66e558a23f3d24d280ac3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso12C8.tmp\pcftl3ciAQ.exe

Filesize
127KB

MD5
fd83c01a43b8f823606f101a797b5778

SHA1
dabdae3877e598573466a36e5fd9a020f383579d

SHA256
f6e76fe07adc8eacd1082f36dc7e00e47ba21778ea418fea9d5cfaf9d982296c

SHA512
0552ecc34d9dfddae32c67cd8fb021156f7ac9a0e24fe28f4e6a8a89f7ad2c22f5592ca5ac5cb1432cf7421bcf35d13ae8f511c1759bc1362bd6bddc2bc02910

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\DcryptDll.dll

Filesize
20KB

MD5
e810d7dc991017445073bba89813870a

SHA1
dd7e64d1a047c0af071a906e560c7ca41c0b94ae

SHA256
dbe194f5075b8efcb4acfadac4785ef7a992748c7a33b52b54f5c38cbd7925c0

SHA512
ccd2f69918cf6782d501629ee52ac38207b32fd6189c42bcd0481d8f0b283d77b159235249176054dd583cdb609339c9bd810c7f74e01f62c02bade32bab7708

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\i1hqkyLh.dat

Filesize
57KB

MD5
768355f76dfe9c82cdf580bd6d9de87c

SHA1
6d09e2ab9334ff34ca0c7885e37aba37d76bb6f6

SHA256
906f2aed50e450015621f70a537d5229bb5d9d34da770ebc0d5375258cc93046

SHA512
9d09d43fa8ffabe58b4bd788decf21012fcfcd90ff6f7305a1ad385c171a92f9618cfb1586e3ace946c7cb9d302fc9b227700679d701b83eb2e02fb7ee8e6b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\q2gyEFqq.dat

Filesize
108KB

MD5
07eb363b2e639c3da8f85f5a5cf04e35

SHA1
c046cca5b63cef1246f10c65516fdedccebf11ba

SHA256
b70ea3ff5887d09f7c8476cdf5186ce434a56bc561e5a43dab97fea6af50f69d

SHA512
d06051d07407496f95a898bb6d3e5af8ecfa8215b05bb1d5149a48be2a161a17770dc007bc26b9640f8bd8a8cd11efb0c87db530109dc4f7a8bd67668e1894be

Download Submit
\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\lzma.exe

Filesize
131KB

MD5
38966a0e2d88da4cc4a39a83461c338f

SHA1
f4d7d0440cf3ca6048f0f2e90501593629a25098

SHA256
8457ac5138561c2ac4bdc88be2caccb4ac023a4ac28fa2a34b21e501aae704e0

SHA512
bc7e6e67c077b21c310d8f8579ba737dbee0a51aadefd7478289259a5a644dca29f5f30624e531e9e85a439ba84bfab5f26fa4632cf75164567f9a0f5475c55f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy12B7.tmp\nsExec.dll

Filesize
6KB

MD5
fa299e199922b3ba833be655a8d71b75

SHA1
4d74c53bb6927a2831df93af26f3e4e4fb007797

SHA256
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

SHA512
7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

Download Submit