cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe
Size

321KB
MD5

e5812b98cab107a220a850b01c37cc8b
SHA1

1d6f2064bcdeb3deca0d47fa89b5d2d9a9d26db9
SHA256

cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044
SHA512

21d073397675246b06e863391a93d45ea2aed990bba6e6a57fafd1be5a9d2db8c9b28ebb62a6ae453858575f5181b13bc6701588e646c3b176257ba312578484
SSDEEP

6144:mNeZi2X8nOqyURK/phDHCEZkxjUx0IoByEuXZfnaLX3KTh:mNj2X8OqyUR+hDHtZOE12yJX3Th

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2056	Un_A.exe

Loads dropped DLL 4 IoCs

pid	Process
2264	cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe
2056	Un_A.exe
2056	Un_A.exe
2056	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2056	2264	cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe	28
PID 2264 wrote to memory of 2056	2264	cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe	28
PID 2264 wrote to memory of 2056	2264	cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe	28
PID 2264 wrote to memory of 2056	2264	cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe	28

C:\Users\Admin\AppData\Local\Temp\cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe
"C:\Users\Admin\AppData\Local\Temp\cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\ioSpecial.ini

Filesize
1KB

MD5
892a861b7793a9ba0d0708bdc7634520

SHA1
4be03db57f2d4b23ef4cb6c4aca828ab42c520a9

SHA256
fba2ca6d4a2704fba57758dbc77ab5aa6f280e04231c2c9aa90275465abbe7f5

SHA512
95091a07d558f24f6da52d26f5b94746351091b9819255beff3c7ba9719339c0851c521332f10a16daaf2f93cd5c60b7e6cab0f986e99902b7262a734001a2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
321KB

MD5
e5812b98cab107a220a850b01c37cc8b

SHA1
1d6f2064bcdeb3deca0d47fa89b5d2d9a9d26db9

SHA256
cfbfec93fee9a4bd5c55fb2a52f11eb2f689b2fe46caee0d3103f0a07cf3b044

SHA512
21d073397675246b06e863391a93d45ea2aed990bba6e6a57fafd1be5a9d2db8c9b28ebb62a6ae453858575f5181b13bc6701588e646c3b176257ba312578484

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit