Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 02:18

General

  • Target

    d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe

  • Size

    928KB

  • MD5

    4266d91c8633602759414cebaeec2ae2

  • SHA1

    ba1dbcfb42cc7073e6fc8c2f75309bbea4dff3b6

  • SHA256

    d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18

  • SHA512

    fa083f2cc0da566a24b7bd259a680b94d03478b1988df230e990a364859b9b42ea7b6b4cb203efd321c870a8199b24e35f7f8632b83da7429cfec2f90ddf6314

  • SSDEEP

    24576:oT5+tqOmwmFwIwoGxEt0h1XummOxYD/I1adA:mEtBL+wRom3nnuckA

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe
    "C:\Users\Admin\AppData\Local\Temp\d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 540
      2⤵
      • Program crash
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd282B.tmp

    Filesize

    74B

    MD5

    16d513397f3c1f8334e8f3e4fc49828f

    SHA1

    4ee15afca81ca6a13af4e38240099b730d6931f0

    SHA256

    d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

    SHA512

    4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

  • C:\Users\Admin\AppData\Local\Temp\nsd282B.tmp

    Filesize

    27B

    MD5

    b93641813851b1ad166b8163e5aeddc9

    SHA1

    642d989ceea62bcfd70fb74f3c62ade0c1c41d78

    SHA256

    1628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d

    SHA512

    eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec

  • C:\Users\Admin\AppData\Local\Temp\nsd282B.tmp

    Filesize

    38B

    MD5

    306942073b8a4457561e12735efb9411

    SHA1

    b1cd498c9febaeb7c2aa4e57c30f118f50eaacb6

    SHA256

    2f68a110d1297ef0a5752507719512451b5a9f00bf25e1392ad5ad3be968ea34

    SHA512

    29b4c8dc5a083fde8e809ad3e87b76057116fa9820c15fbddb25913543d93d9475ce07137cd382d6ba9c71741f706bf5be4e13909e231b32164a189fdf95271c

  • C:\Users\Admin\AppData\Local\Temp\nst2B4B.tmp

    Filesize

    56B

    MD5

    8e6404beeb7e3c9538dadffcfb2645b8

    SHA1

    270b1ee147d848a55d37ddf02e8eb7f847962cb0

    SHA256

    d249e99e34d488c9c51113d432665f8d7b064ea22b259a7d5b563fdab5cc89b2

    SHA512

    9e611fce0c6832f6d2608939c90761cbbbe20389a47538e1b61aeb81d1632486719bbd95c591208eafd49c1ee7bfb47253fa26520f10712c4ce65a03bc9547d4

  • C:\Users\Admin\AppData\Local\Temp\nsy2A7E.tmp

    Filesize

    52B

    MD5

    5d04a35d3950677049c7a0cf17e37125

    SHA1

    cafdd49a953864f83d387774b39b2657a253470f

    SHA256

    a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

    SHA512

    c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

  • C:\Users\Admin\AppData\Local\Temp\nsy2ACD.tmp

    Filesize

    60B

    MD5

    c5dc6b3c3c7f200f5a7ba47c2737c1de

    SHA1

    70b4e8baecdb4dce827ab98ffef9bd44e0552ee4

    SHA256

    60d21a4adb44ea9bc7f98e4782eb655c65ecc018d98ff8850b4d5aa0b4346d18

    SHA512

    99374495d22fc90ef81f0c705822006ffd921fb9e91aea7b2e93a492758ee43a73becb09a49be96ad6ba28fa47c267530669042e8de398f2b6bb10ed5a966283

  • C:\Users\Admin\AppData\Local\Temp\nsy2BB9.tmp

    Filesize

    30B

    MD5

    f15bfdebb2df02d02c8491bde1b4e9bd

    SHA1

    93bd46f57c3316c27cad2605ddf81d6c0bde9301

    SHA256

    c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

    SHA512

    1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\tabelskitsernes.ini

    Filesize

    38B

    MD5

    64b06081504c11ef4062e43370b81357

    SHA1

    8c2e1d6f654a48964bf51a72e333dfebbd911b62

    SHA256

    0782aa5c1895020e59632e92fe29a293160a19155fe53a6ff56af8c376cb5664

    SHA512

    a0cdc124018d7bdb224d59a5d96e84a07f0f801290ee80881d6bffc7bb82edac5a768e8258217363610883c1ab73a79a2951c3bc29e93c9b7276627566551dee

  • \Users\Admin\AppData\Local\Temp\nsd282C.tmp\System.dll

    Filesize

    12KB

    MD5

    d968cb2b98b83c03a9f02dd9b8df97dc

    SHA1

    d784c9b7a92dce58a5038beb62a48ff509e166a0

    SHA256

    a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    SHA512

    2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e