eb2a5e3a808f2947bf3ed1faf3dfd169a7b00b835c46cdd464d19e16f38f5630

General

Target

accf9582bde36179255f50ca019b3981.url
Size

178B
MD5

accf9582bde36179255f50ca019b3981
SHA1

f09eadda4a33928662f5e85c7b79bf5d97274b64
SHA256

eb2a5e3a808f2947bf3ed1faf3dfd169a7b00b835c46cdd464d19e16f38f5630
SHA512

1b180cb464cfa601cf179657174e1abfd7c62c979b075454e232b4132e21de48be0947d27401dc31cc5453f63de771a72093379cd15e9874c62ba2fed3ad5076

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	msdt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2472	2116	rundll32.exe	31
PID 2116 wrote to memory of 2472	2116	rundll32.exe	31
PID 2116 wrote to memory of 2472	2116	rundll32.exe	31
PID 2472 wrote to memory of 2792	2472	rundll32.exe	32
PID 2472 wrote to memory of 2792	2472	rundll32.exe	32
PID 2472 wrote to memory of 2792	2472	rundll32.exe	32

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\accf9582bde36179255f50ca019b3981.url
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDFF6FC.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFF6FC.tmp -ep NetworkDiagnosticsSharing
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2792

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024071607.000\NetworkDiagnostics.0.debugreport.xml

Filesize
64KB

MD5
ff8ba1d1761da9290a9a232534235331

SHA1
0a61a749e6671be8224e990c3ab04485b7318f41

SHA256
625ea6843e210360c6e5d785c983d5ef4a425e46731c941a90a78c4e1516a80c

SHA512
55594d1b0adb66f45f014298c454630475c94f92d62d00bcc4cbf5a4fa10b545e2f47a6ee29e9fa3b3184515eddaf8f6cf48579ebf4323d366e3e201c4ec3819

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFF6FC.tmp

Filesize
2KB

MD5
ddb827b68c2bdb797b2f7c864dafea6e

SHA1
328af7fd96f4162a8f82d298a716425a13bc655a

SHA256
cdb11243b2e4a0068803a187859eb252ca63f506c7b0af070310776197577fa3

SHA512
38bcb031850f7b7f5856df6876e5a2ae8386397bb462a1dc8fa1ed80ba5a8a5358b3b10173274b982337335e228816ddd4f6f710245ff90f975320af37cf0baa

Download Submit
C:\Windows\TEMP\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_a5eb0c10-e66b-485f-9512-16504e84b069\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/2116-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2116-361-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing