2775447ffb2c1b8f3385b051e17554f02e34a0d26202c96b48d2d15077d4d576

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.8MB
MD5

db782d52eda26ea07fcb2850b8d32ef4
SHA1

d422ccdfec82ee3e1eb4d47dc8ad009f1b852811
SHA256

9f86f613ba74c30b3e4c0486d5c8ba8f702c1bb2382e0845cb5ea62c8a9289e9
SHA512

5f421193d4f0739ed1f64a51b91ad18dea60fc0a9d87cf1f573ff51fdee844053af353230a3ae0a528b3ca814a41da464f15e164b8017bfe00afc70261db62e3
SSDEEP

49152:yi6YRh80heyFkJeq/ZBGgxZC+XFrdBihHHnHiYbSjBgvRE3OfyVGutTjHv13O+me:yiR8FJe3gxZC+XFrdBi1hREsJuhzxx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4936	is-REVRS.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4936	4092	setup.exe	85
PID 4092 wrote to memory of 4936	4092	setup.exe	85
PID 4092 wrote to memory of 4936	4092	setup.exe	85

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\is-K2R6H.tmp\is-REVRS.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K2R6H.tmp\is-REVRS.tmp" /SL4 $50062 "C:\Users\Admin\AppData\Local\Temp\setup.exe" 2747344 52224
  2⤵
  - Executes dropped EXE
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-K2R6H.tmp\is-REVRS.tmp

Filesize
634KB

MD5
d291acbf9866b8846fe0629e690feb1a

SHA1
293314b11340d798d3c74e2416e2a43f267a25d6

SHA256
ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb

SHA512
320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed

Download Submit
memory/4092-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4092-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4092-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4936-9-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4936-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4936-16-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download