dda4ab4faa416af83a0dfc9f873e75e5d1e5783124db0f18c4fcd34e3b40ada5

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe
Size

3.5MB
MD5

e1ca7bb8f1a7e5a5905d0ce0a3ca4b95
SHA1

d9093e45d8ee2662b7f5c7946a288d9dde01299a
SHA256

dda4ab4faa416af83a0dfc9f873e75e5d1e5783124db0f18c4fcd34e3b40ada5
SHA512

9c3e238655a3db333ebcd5a9a384f7961a57cb4ba92d954805f0ad6f3960e1c999292f361d2200884d8b1e550783b0f25410d1c100bb50c0f3fefb45c45e6d60
SSDEEP

49152:e2iwSWLva6JrdUIG34CdtZA/CFBOyDNsl3H0bz+FfQL9E6vFmYJ4+h8GhFIXZZ2m:HkeUIGoCbCSD2FAgQL9EIgXYIXP0SgOt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp

Loads dropped DLL 5 IoCs

pid	Process
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp
4892	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4892	1464	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe	95
PID 1464 wrote to memory of 4892	1464	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe	95
PID 1464 wrote to memory of 4892	1464	e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe	95

C:\Users\Admin\AppData\Local\Temp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe
"C:\Users\Admin\AppData\Local\Temp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\is-PCC7D.tmp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PCC7D.tmp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp" /SL5="$900E8,3336534,74240,C:\Users\Admin\AppData\Local\Temp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-FET51.tmp\WS_Log.dll

Filesize
176KB

MD5
3b306b1ff2fbed872f776a3d1fc0f46b

SHA1
aa2d7aca860e3ac9d10610355150c4784b9d20b1

SHA256
4b0111da159b13d5139d7e9cfdb93d6fe743e1c159b63db0562fc7e23960f8d2

SHA512
a71f4b3df5a17040b1c80c63c8fb4c92a04e1ae7cf4b2e0d0668fed7f801e9b9483b79f9b1c8a9e44870435a9b9a3d8201d160e66aaeae884b5519b094dd9ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FET51.tmp\WS_SaleProcess.dll

Filesize
389KB

MD5
63bdadb8335989b97c815c1500521db5

SHA1
77f2974135858c0b9696b67a41c4275329027f2e

SHA256
018f0b9cd9a4c6cab3ba3337a3a3a1ee2e2bc173c9991ef9f56664b33eca0a91

SHA512
e4bcc65a3e31c9144c0b07b4c772890cbf48d49372ff1c50bba61f432e998835627cf0f3e808574244a411b9d8416b718ddd5babeb8091f1eeff90f574a881df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FET51.tmp\WS_VersionProcess.dll

Filesize
91KB

MD5
6011d5a4f0156b6775125dcbb059425c

SHA1
ebb471d6228d3c93aff3b227db5b70cbf899626a

SHA256
f936f4d9d55a5f12dfee3e7519bb4c39178d9c38e3c6293fc939dcf3cfaa7a77

SHA512
00cbb5bf02e480bb2768560f6d476e435e5ac1e1dc552382ab3c137981504d752ce0a72950d27df940b9e0c2fd4a962a78fb7b5c2207dccd78593dcf0b97e9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PCC7D.tmp\e1ca7bb8f1a7e5a5905d0ce0a3ca4b95.tmp

Filesize
689KB

MD5
3850b175e014e2eb6cc967c7da03c215

SHA1
0a67862be62ead59b25e63664357e8894cac0e9d

SHA256
31586767548edfe67bd3b66b931d1918155f3159bf92e86b84f688e0feae56a3

SHA512
4d851f725e50a30e02af320db62453c098203dc1390057d325980a93782557ce5a3d2627c47ced432fdd4b026deb97e997698737c8a193a14a0c9ce09c5b411c

Download Submit
memory/1464-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1464-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1464-32-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4892-7-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4892-29-0x0000000005150000-0x000000000516F000-memory.dmp

Filesize
124KB

Download
memory/4892-22-0x00000000051C0000-0x000000000522A000-memory.dmp

Filesize
424KB

Download
memory/4892-33-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4892-34-0x00000000051C0000-0x000000000522A000-memory.dmp

Filesize
424KB

Download
memory/4892-35-0x0000000005150000-0x000000000516F000-memory.dmp

Filesize
124KB

Download
memory/4892-40-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download