b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe
Size

2.2MB
MD5

82b92970234eeb94883182381e626c63
SHA1

75739056f3855c8fa84567eafbacec001691b7e2
SHA256

b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac
SHA512

bf9037533ca00f1ddeebd759b6f2cde5a7a9326f90b44c66a6aa155ab0e79c9cc93e6c8676efddaea3da3d9cbfe60ea2637ea9e9b4df58b6bff31d94f36fa472
SSDEEP

49152:acbz6Jku/5v8WtcRUXPXIymP2yPLGhZg3cU+KH1CVZAJBtlNV7D:acbwuPRM3uDGhZgj+KVc6JXB

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2236	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28
PID 1220 wrote to memory of 2236	1220	b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe	28

C:\Users\Admin\AppData\Local\Temp\b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe
"C:\Users\Admin\AppData\Local\Temp\b4932dad396b2b71a3a2adc4f488db99e5a8cad1b5af8b50ed2382ac1c43d5ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -u RR8J.m /S
  2⤵
  - Loads dropped DLL
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RR8J.m

Filesize
2.0MB

MD5
234c718b7e7eed04d399f1083dcb03f2

SHA1
10d5c941a12b0d43288af499b38c1c0c25123c51

SHA256
252a0b84b256eeec5b3b1209803a06b852b215e6ef7a21645917dfd21de55218

SHA512
eb82c95239befdf7183d26afe3bdc77d54032f524c777041a028849c48ef3b2c735cca4aea730d89e642239acf8b89d2e5a1fb3cb2026ab48f621e3ccce167a3

Download Submit
memory/2236-4-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2236-8-0x00000000026D0000-0x00000000027DD000-memory.dmp

Filesize
1.1MB

Download
memory/2236-9-0x00000000027E0000-0x00000000028D4000-memory.dmp

Filesize
976KB

Download
memory/2236-12-0x00000000027E0000-0x00000000028D4000-memory.dmp

Filesize
976KB

Download
memory/2236-13-0x00000000027E0000-0x00000000028D4000-memory.dmp

Filesize
976KB

Download
memory/2236-15-0x00000000046C0000-0x00000000047A5000-memory.dmp

Filesize
916KB

Download
memory/2236-14-0x00000000028E0000-0x00000000046BA000-memory.dmp

Filesize
29.9MB

Download
memory/2236-16-0x00000000047B0000-0x0000000004894000-memory.dmp

Filesize
912KB

Download
memory/2236-19-0x00000000047B0000-0x0000000004894000-memory.dmp

Filesize
912KB

Download
memory/2236-20-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2236-21-0x000000001B8D0000-0x000000001B8D4000-memory.dmp

Filesize
16KB

Download