947c2e70101d0879980077e87540b13878354d72b1398775bee9a7d0e83dc25a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 10:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c323ac4805449f0331722dfd1bdac470.exe
Size

252KB
MD5

c323ac4805449f0331722dfd1bdac470
SHA1

0469af938a688cdb999a6012f767a6255bf06651
SHA256

947c2e70101d0879980077e87540b13878354d72b1398775bee9a7d0e83dc25a
SHA512

0b8fb3c48a24cd1b4db1acff867181e098ec72b3318078275e7c9567bb4a7d879fbe662118cb47ce79f518bbcf6a08265448725eeeb77523ca541d36fb0335ed
SSDEEP

6144:NsrUgnPGUQ1z25gFOga37lVz2zEjUCBY+:GrnuUslAgoOzKv

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe
508	c323ac4805449f0331722dfd1bdac470.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\egowtsjhe = "C:\\Users\\Admin\\AppData\\Roaming\\egowtsjhe\\egowtsjhe.exe"	c323ac4805449f0331722dfd1bdac470.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 2500	508	c323ac4805449f0331722dfd1bdac470.exe	91
PID 508 wrote to memory of 2500	508	c323ac4805449f0331722dfd1bdac470.exe	91
PID 508 wrote to memory of 2500	508	c323ac4805449f0331722dfd1bdac470.exe	91

C:\Users\Admin\AppData\Local\Temp\c323ac4805449f0331722dfd1bdac470.exe
"C:\Users\Admin\AppData\Local\Temp\c323ac4805449f0331722dfd1bdac470.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
200B

MD5
c10014d362f7ababa3015cf1b6961c25

SHA1
9898c475b79ce4ba8b50259839d462f79fc947f7

SHA256
d3b745db7b1541fd0b25777efda6a8c5dc940e79a27e27b7a57f8273eaa029a6

SHA512
6ea957dc01186948edbc3bd53663e37484f11c957ab888d3d3562a703dbfca93b7b1b7f3a7950077e0a96d4b684bac31ca8aea382a57f90571c46a8313894748

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\DLLWebCount.dll

Filesize
28KB

MD5
3d320f250297fe1dd1ddc350fa154b3b

SHA1
9236e354d2fe2b9f25a36f1ba686f1f2785e0b26

SHA256
f1ed5586759eaa6e5edf92bc589b0812620a3d48db3724c833b1fd9ea6c837bb

SHA512
8e259f6025080180fedcf13b1493910c20242d02c1776a84a79c8ff1aba00ca64873b251578000867bbcd129c46503470e364817afa267bb631e0d47ef31366a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\Dialer.dll

Filesize
3KB

MD5
4e6686aece13707435cce60dcb2ab572

SHA1
9bc7bcffa81e19ad315cab0f261e2394b99aa8f4

SHA256
b8bdabefe8360a157f287bf2b672d8d9a0453224a6b377348aa6a98438fccaf2

SHA512
a1936a86e1fd28a0d44e3e2bab4e41d3ebc6322155d47cd64df9d4ec1b3a093872f74f9848d39c6062242ea4f5af69b32e99f06fd892279b2a1a3cc6c1586e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/508-16-0x00000000022D0000-0x00000000022EA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads