c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

1632 MSK203.exe
1632 MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

324 1632 WerFault.exe MSK203.exe

pid	process
1632	MSK203.exe
1632	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	pid_target	process	target process
324	1632	WerFault.exe	MSK203.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 1632 wrote to memory of 324	1632	MSK203.exe	WerFault.exe
PID 1632 wrote to memory of 324	1632	MSK203.exe	WerFault.exe
PID 1632 wrote to memory of 324	1632	MSK203.exe	WerFault.exe
PID 1632 wrote to memory of 324	1632	MSK203.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 524
  2⤵
  - Program crash
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd1B14.tmp

Filesize
53B

MD5
a71f7038ac09bb788521e225af8c712e

SHA1
d62b6938fa9357b10bb378279e7aa559bc6667ae

SHA256
9d9d14f99b0dff8266e4b5dd86cb64bad23315d616fc36c38c72d4b05739864a

SHA512
0786c1b1b368b1dfe8ffa7b6ebd8ce6a017f61a38836c7d4b602d314c98ddee69167328db632f6fe14208b3f6a9a939ab4adcc94273190fe27cfa8d8f69da5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1B14.tmp

Filesize
56B

MD5
2c77bbd52333e4144ba070082eac42d6

SHA1
d5570ca72f198bd75e1f0d241f0dd69986877ea4

SHA256
54695e5022b16a8b57b4995eabb2d2b2212e0f3fc6ddad15cb2bbc5798fa3c04

SHA512
c800b128aee9e19cfa614be129deed3a440263ff5b58d801e4929ceebf5a930eba8efe948c70e163294a4dabe993a6dcc24f3ca3cef859877da852919dce4162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1AE4.tmp

Filesize
13B

MD5
1783e9a8f74ea827208a35b5a8c0c0b4

SHA1
68913138931e5d1cdf495708cf86d082454dc6cf

SHA256
20ed8777c986040dba3187aab791c6df6f87f42c3002b15bcc8bfa9718d842e8

SHA512
8da8702b8e97de4d9cd9c294574e10363e34f3cf7796b1e2c78be543a482472922be3d75a716c67b63a291b898528531c132553ef20174ea99eb3bd37ac3608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1AE4.tmp

Filesize
19B

MD5
adfb82dfa0a66bd7e108a83873cbd4cf

SHA1
caaf90327bb1e7b6731e154351f351bf3a3bb1c4

SHA256
2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228

SHA512
103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1AE4.tmp

Filesize
34B

MD5
c7fdb83176d33ab6f162ad7e63be34a3

SHA1
f4723fe0f231fd81edb2d9e33f7f3db61be3bd09

SHA256
da7321dd7717fd659d292a2bb74089f7792eac427a73388735a8dc00f8b03fe9

SHA512
72d0c73e0ffe140621cefad6d02764d3c318d0d79e4fd7cdcac4f12c4181d77ec607f5649cda684e2c845d5226ceee672ecb78beed2df6f4ab269cb17b71b0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1AE4.tmp

Filesize
53B

MD5
d3842e87048750ecedb6de187b7345dd

SHA1
0e6b4767a0ad2c04dac66a14f3d02ff033baf847

SHA256
80ac4fe1737940cbe0fede922602d4815531d5ea9eff8bf89e9f5df2cbccba82

SHA512
11c68374f40943cdb6179853f266ad47eb3239c7d0fd97542515cd95090e203d7a2a8e7db4ea99fbc2bf57af1b995944ce833f8efc110ea81d4a600e25981718

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1AE4.tmp

Filesize
59B

MD5
65b6a0adb48771278249b974b23a5729

SHA1
92088de29fb7dd02f3fa8b6d82098c0310ceb01a

SHA256
137ca85868ade064270d676cb6e7499daf58962612309bea60b110736ccd7b7c

SHA512
b9552ae3938d052bc7ef9d6b88c34943d8ef0a5edb8e1ebfad9e979817d28816ec77d6e3d3540abce83d171a944704bb2bf3a4f073f2566fe9228a052402d143

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1B82.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1A65.tmp

Filesize
67B

MD5
0a3f0a6958444bbe60be42110a33bb30

SHA1
2350bbdacf80483b634671b7877166fcaacbec7b

SHA256
6c9d5f35bd11e1d670553bca8b7ff96bfd5c555f09ac6f7a3ce8b97d3a02b133

SHA512
dc58c80053bef25009a7603ed785690c7fb097e44e91f7fb5ea0ad931f3a28111d87f1a3072ce728eecc23fe3c91452b40c787e07a8562a0f901a98bb25cb8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1A65.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1AA5.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1AA5.tmp

Filesize
18B

MD5
a24188ce6d4a713d3508b4c0ec4860ff

SHA1
1e4b331b57d9d633687b5ecdaf35b0ab55c72e44

SHA256
0910aef0152e26373651bd0550d8d61e3f1e72820e69c3fec56ae50cd225a493

SHA512
427e9635aed314bb5e5b90ba32c55d78922b3ba8276bc185889e3d3c635925c9148e1bf12d289b0a3c0fc8bbbe78b52f223d550d39b67682f2007b625db0331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1AA5.tmp

Filesize
22B

MD5
b047816b08c4d8bfc15d92a76b02f032

SHA1
524d75ebcb25c312f94331dfe9d912d64bed2cdd

SHA256
b1cf0c961cc0706922ed4e40300fbde987d521b47a778d61ad809684b5a16a35

SHA512
d808dd3603318dd503e81dc25be9f03f7623dc2dc812b6955992bcb079071542e655fad2a45343a0a453a97b044f820b090f4cbc6015b6f4b988106bc6aeb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1AA5.tmp

Filesize
37B

MD5
19bb0d4e0dbbeec8ba11676faf173020

SHA1
803ec505ddf82c03af6de9ea9bc483d709f01b08

SHA256
9c719d5b57ba39eeac8bb3dc66e5e4116e6df0d13708c46dbb0df2a89b50467d

SHA512
5c10165a0160b4ae90ffb637971daa4086d6fbe2c4cb771050c6736ece6332cee843629ae2ce98139543e099cd439a730696e5c6c2fdbcca449ac9803a6e4df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1AA5.tmp

Filesize
51B

MD5
b61b2f1546b29486a8a0d25e1cba7721

SHA1
c19a4677b46a71e1624d77b3af0af2411c57f6b1

SHA256
15f6b52edd0bf33f8fbc357d9fdc3287d97e51227eeb0a21dc58a3337d9fa692

SHA512
429c3b7917cd2ef31765683ac06f434aa5081e0113ccad168312a696e3c66ba36834113068f6ef2e291918db80617d347ea1f5c81c32b0f17702925407779cd2

Download Submit
\Users\Admin\AppData\Local\Temp\nst1A85.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit