1a060d1dabd86e25cb6aab039a0fdccd176cb033e5c7823164b97b9284e34191

Analysis

max time kernel
134s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

6.6MB
MD5

e4301e8ae04291826a336629c424fa74
SHA1

c8de33288703388238ae6dfe03c3add4824b987a
SHA256

1a060d1dabd86e25cb6aab039a0fdccd176cb033e5c7823164b97b9284e34191
SHA512

4d4e79002ec144844db9e85f1b043e4d6a34ded9043c94424834ba010dc369a23ba421cffeea407772ad44f723805ec2e7ae26192b8253b98e0eb01fd48c8918
SSDEEP

98304:CaMrs0l5KHUN5EVo4UNPQKD+68kPiz8F+LsxAd8ZFhXGMXRdyf/S1crxA:f+rVWKD3tt+Ls+dmhXGGbmS6rxA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ImLc.exe

pid process

4052 ImLc.exe
Loads dropped DLL 7 IoCs

Processes:

Setup.exeImLc.exe

pid process

4140 Setup.exe
4052 ImLc.exe
4052 ImLc.exe
4052 ImLc.exe
4052 ImLc.exe
4052 ImLc.exe
4052 ImLc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4052	ImLc.exe

pid	process
4140	Setup.exe
4052	ImLc.exe
4052	ImLc.exe
4052	ImLc.exe
4052	ImLc.exe
4052	ImLc.exe
4052	ImLc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Setup.execmd.exe

description	pid	process	target process
PID 4140 wrote to memory of 1420	4140	Setup.exe	cmd.exe
PID 4140 wrote to memory of 1420	4140	Setup.exe	cmd.exe
PID 4140 wrote to memory of 1420	4140	Setup.exe	cmd.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	ImLc.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	ImLc.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	ImLc.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C start /B "" "C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLc.exe
"C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLc.exe
Filesize
302KB

MD5
62f06ce16a02ebab81871add6066666b

SHA1
47c52f3b5dc542d2509bcf1f723598b9b4e88d46

SHA256
88c6341f8779755aa42bf23b70f28a3835cb9e910cb3f47a1e79b8e959061184

SHA512
82a27a06f1aa5bbf83c697423ae433cbcd1738642c576398b32830b42223811d4cb7623aee24a7e5e77cdf3bbf3a2727120a4d16dcd5ffc6d19c6bd34134ff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLookU.dll
Filesize
606KB

MD5
3ea6d805a18715f7368363dea3cd3f4c

SHA1
30ffafc1dd447172fa91404f07038d759c412464

SHA256
a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d

SHA512
a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImUtilsU.dll
Filesize
1.4MB

MD5
11d04f26d2fddde31baea41874db2dc9

SHA1
934492f00d56ea6a3aa2a41661529704e847c539

SHA256
01d00bbe1bb408c06417092f3e35c90d29fe4ee6a697e4e99c98c9891d852274

SHA512
4819cc1b1e924aaac97642bc0b566012547cfbac02721ab63ebdc039d88f81957d1de4089a47c645bd0f9f09de3c52f7ccdbcaa78005b2b335adc5dadc52b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImWrappU.dll
Filesize
158KB

MD5
cbf4827a5920a5f02c50f78ed46d0319

SHA1
b035770e9d9283c61f8f8bbc041e3add0197de7b

SHA256
7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce

SHA512
d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\ImLookExU.dll
Filesize
262KB

MD5
6527be4d6a3333dc5a49218c4f80530d

SHA1
97c8965b01d2644fb17a0f818af59bc0471e38a7

SHA256
908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f

SHA512
69a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\mfc80u.dll
Filesize
1.0MB

MD5
ccc2e312486ae6b80970211da472268b

SHA1
025b52ff11627760f7006510e9a521b554230fee

SHA256
18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

SHA512
d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7B1C.tmp\nsExec.dll
Filesize
11KB

MD5
d65973e31f6324acfb9669a98fb1d375

SHA1
bde1e7963b46366d186190ba69eb8530ad64572b

SHA256
9e1b4a31bedcbfecbafb4f0b3248bff00f1cc590b03dd41797d5dd39979e27b7

SHA512
29edd129f47174c16ffe964bbd50551c9b7edea038563cda0bdea90229827b23fbe01c765b7c9d2719df4edd58b30755b5d79e9cedc26b43c8833082bfc5c601

Download Submit
memory/4140-57-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download