b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe
Size

155KB
MD5

6591ce68723ab49b96bafaaafae598f3
SHA1

6ea67a37a5b642d2ab3624f7c0faf03e84bc5816
SHA256

b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1
SHA512

9ad6a515c26e6fad6eaee580a8da5d9edcd5bd8889beb2da063f6fed17e2dabeb0ff9362805050143f7d5b5ba9ca8a53039d0c8838244a96f0fd6d0ae4683c45
SSDEEP

3072:Q8a+d25BTHNik8P5AB1C8TnJobFcAX4SzCV4wIqgrznxD+:QR+d25fO5ABcaobnoV4wZMD+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	Un_A.exe

Loads dropped DLL 4 IoCs

pid	Process
2932	b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe
3004	Un_A.exe
3004	Un_A.exe
3004	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3004	2932	b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe	28
PID 2932 wrote to memory of 3004	2932	b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe	28
PID 2932 wrote to memory of 3004	2932	b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe	28
PID 2932 wrote to memory of 3004	2932	b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe	28

C:\Users\Admin\AppData\Local\Temp\b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe
"C:\Users\Admin\AppData\Local\Temp\b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyFFA.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFFA.tmp\System.dll

Filesize
12KB

MD5
e15ab1ebc8ac4fa11c72786ff15983f4

SHA1
210eb86f026c084251faeac304dfe96f0b26790e

SHA256
b60a0b9bdea234928d7eb849d931be78a210087418ac1032b4c71bf9a2204fd5

SHA512
712d2a4485727105255907a412d72fe1ed623dfa73c86510245a2096901ae365c9ef20bf6d1590fc2f93ee35f0d7ac214e087448a20df2c98ff8f09da5fce860

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFFA.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
155KB

MD5
6591ce68723ab49b96bafaaafae598f3

SHA1
6ea67a37a5b642d2ab3624f7c0faf03e84bc5816

SHA256
b16ea489171716a64c3e7a96a91756dfd3dc88a26febe7504bcd12a94b911fe1

SHA512
9ad6a515c26e6fad6eaee580a8da5d9edcd5bd8889beb2da063f6fed17e2dabeb0ff9362805050143f7d5b5ba9ca8a53039d0c8838244a96f0fd6d0ae4683c45

Download Submit