f41d345b0bbf9e7cad979950a8700204ad2d5241953771f54b3df1d67aedbe94

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/xvid.exe
Size

637KB
MD5

cfda0738d62a6ce3b605551e311b3c37
SHA1

435203e7f713c4484ca4f50f43e847f3dc118962
SHA256

a7e72dc1ece52648fae949dd9e25785a611cf6c25512ccd5d0f9dba99456cc50
SHA512

3fe7e79004dd24138e294d611d7c301e0686b0636811ae91005a19272c9d30b23a45abe7015967994794b260a2305ad99a0c3a86cb39fb90ecb87e565a78b226
SSDEEP

12288:smz39dIoR2bbiwFHDZeUJiFA+KXCJaVkjR6h3Q+sZli4pZd:sI39dhcFtZHiJ8CJaGja/8Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	is-MOJTM.tmp

Loads dropped DLL 3 IoCs

pid	Process
2136	xvid.exe
2224	is-MOJTM.tmp
2224	is-MOJTM.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	is-MOJTM.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28
PID 2136 wrote to memory of 2224	2136	xvid.exe	28

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xvid.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xvid.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\is-83OLO.tmp\is-MOJTM.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-83OLO.tmp\is-MOJTM.tmp" /SL4 $3012C "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\xvid.exe" 412643 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-83OLO.tmp\is-MOJTM.tmp

Filesize
647KB

MD5
125b1be5897ffb844be040a35041d695

SHA1
a64833cd932694d025057a4188068ec9c1690f0d

SHA256
94112c7da38b3445aaced3aa9e56cbf6d3c9e70ee599ebbf5ce586752aeb4bc2

SHA512
2a1b690997b14c0db0453c4af206f76eb0da2f61c96f806f8ed1fb2fb4fd033bf7da90a6b46670c787a957145b4fb121a14835344fe55b81942aea71d93fb104

Download Submit
\Users\Admin\AppData\Local\Temp\is-UJF3D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2136-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2136-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2136-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2224-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download