09602a8642444e40e0567314fc039bf4912f1f54307581b322cee4e9fdeb024d

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 16:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc41de7c53d6804cfb229906d8d14065.exe
Size

2.3MB
MD5

bc41de7c53d6804cfb229906d8d14065
SHA1

37604d88dfa69343f1a9d2a8cbf82c08e9441c6b
SHA256

09602a8642444e40e0567314fc039bf4912f1f54307581b322cee4e9fdeb024d
SHA512

388ea622cfb7a93a9c1e94182a1ae28999943e52bfa76bcde46e821ef791760ea447ea242f4357dd0a726e01ef17a8f0cad6fd40136de8308ab05a8c2fc66b21
SSDEEP

49152:GArEL678DaPzNT8Zt/4py8sZOH0863PcoDtQE02Asu3NH/:XrR78DuzNO8y8y46/cmQE0H9f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	is-NTH7I.tmp

Loads dropped DLL 3 IoCs

pid	Process
2080	bc41de7c53d6804cfb229906d8d14065.exe
1984	is-NTH7I.tmp
1984	is-NTH7I.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1984	is-NTH7I.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28
PID 2080 wrote to memory of 1984	2080	bc41de7c53d6804cfb229906d8d14065.exe	28

C:\Users\Admin\AppData\Local\Temp\bc41de7c53d6804cfb229906d8d14065.exe
"C:\Users\Admin\AppData\Local\Temp\bc41de7c53d6804cfb229906d8d14065.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\is-D6V2F.tmp\is-NTH7I.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D6V2F.tmp\is-NTH7I.tmp" /SL4 $400B0 C:\Users\Admin\AppData\Local\Temp\bc41de7c53d6804cfb229906d8d14065.exe 2168890 50688
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-BJFA3.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-D6V2F.tmp\is-NTH7I.tmp

Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
memory/1984-14-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2080-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2080-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download