5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:19

Target

5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe
Size

2.8MB
MD5

947a675e4e4f84e6eff78ce0e38c49d4
SHA1

bed973f3e5111c5061a5d77ca142ab456c3afde3
SHA256

5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc
SHA512

c02de2627256abe1065ec6391a464e2aebc85c38777c3b1a85e778573b769e703bfa736f0bb3a311ed47a5eaafc8be399fd5c3ccdd8065f1d2e6345b3ebed049
SSDEEP

49152:UL6oFh9kV1s8ohLikBcjQqzZjwdWdpsenkgt3cpfvl43mTfU6vZma0MK2E:ULjFPs1s8SLvCQq90dCP3qO3b6vP04E

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

2464 Un_A.exe
Loads dropped DLL 2 IoCs

Processes:

5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exeUn_A.exe

pid process

1740 5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe
2464 Un_A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Un_A.exe

pid process

2464 Un_A.exe
2464 Un_A.exe
2464 Un_A.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Un_A.exe

pid process

2464 Un_A.exe

pid	process
2464	Un_A.exe

pid	process
1740	5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe
2464	Un_A.exe

pid	process
2464	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe

description	pid	process	target process
PID 1740 wrote to memory of 2464	1740	5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe	Un_A.exe
PID 1740 wrote to memory of 2464	1740	5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe	Un_A.exe
PID 1740 wrote to memory of 2464	1740	5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe	Un_A.exe
PID 1740 wrote to memory of 2464	1740	5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc.exe	Un_A.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

\Users\Admin\AppData\Local\Temp\nsd1769.tmp\SetupPlugin.dll
Filesize
4.5MB

MD5
f4ce541995d3590defce492118201c8b

SHA1
ea47147a60e43fe52255fa1bc94175569759e14b

SHA256
dde544dbdaf387112876e1c07b2f28bf63414b79a99e5874cbef354ebd38c8a9

SHA512
6b07de0f1536643b6df443f82e4d89182e85ecc6d22b624a0b3e8a5552afc25bd76bdb94cd6e98206c906cb2bd875bd456a84a9d87a13b506d92530666b84299

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Filesize
2.8MB

MD5
947a675e4e4f84e6eff78ce0e38c49d4

SHA1
bed973f3e5111c5061a5d77ca142ab456c3afde3

SHA256
5ea92cd1af34a0faf1293afa648e3e1e610d89deaf663b4a75a38fbf03ba99dc

SHA512
c02de2627256abe1065ec6391a464e2aebc85c38777c3b1a85e778573b769e703bfa736f0bb3a311ed47a5eaafc8be399fd5c3ccdd8065f1d2e6345b3ebed049

Download Submit
memory/2464-14-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download