e62356133515b034c8a82fd6701af5816c36119f772c4d121dc2805da8c60e7d

Resubmissions

16-08-2024 17:35

240816-v512psxeja 3

16-08-2024 17:30

240816-v3e2fs1bnn 3

16-08-2024 17:23

240816-vyb41azhqk 3

16-08-2024 17:19

240816-vv9k4axale 3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ATDKM0-019002993PDF/ATDKM0-019002993PDF.url
Size

171B
MD5

012a6bc70079bc296c3e5da75986d6e2
SHA1

6d169e6194f439555eb7b9f2e03008e3714651e6
SHA256

d3565b730ffcf5a95d21facb031eafd5be65664f5c2949e996a7355fd9685550
SHA512

2f72c8851c3cbfc6c7abb2387f41ecec931733b18c8fc0e5fd2add5d8711851efe297b1a6ff6ed30cf65d1a2d15a4658fa60bb72411d3ff16d98e9992d2838e2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2808	msdt.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2820	2760	rundll32.exe	30
PID 2760 wrote to memory of 2820	2760	rundll32.exe	30
PID 2760 wrote to memory of 2820	2760	rundll32.exe	30
PID 2820 wrote to memory of 2808	2820	rundll32.exe	31
PID 2820 wrote to memory of 2808	2820	rundll32.exe	31
PID 2820 wrote to memory of 2808	2820	rundll32.exe	31

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ATDKM0-019002993PDF\ATDKM0-019002993PDF.url
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF6C5A.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF6C5A.tmp -ep NetworkDiagnosticsSharing
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2808

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024081617.000\NetworkDiagnostics.0.debugreport.xml

Filesize
64KB

MD5
b433e744e515cca097cd490cc7acf41e

SHA1
af879d526ad1cfae7939342d3b3bb7836679487b

SHA256
5abf82a37964b1bc2955b77e0d90024aad36ad2115c4453625628b960add212e

SHA512
54b4614d546da1df99a261ab6e60948da3db1a9eeb5c57941886f28faae0b7586aebb10692ed0d404c7fb7ca39a0ff9ebe6d3860fa84f44b315d4a153c69dc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF6C5A.tmp

Filesize
2KB

MD5
edffb30992fd20c50d4a9efa2b235173

SHA1
30fe67fec4d0caa037767b1976188ef43d94a2b7

SHA256
0ff3b98e3a01d1c24d5d1fe7bc583a1dd65bfaf831551d0d9f84ad6b4412eeda

SHA512
2d79bf84beda123ce2d3514251b3488417423d01b6dc5f51f42424a443c7b2beb52df88de59d45e81e5da0864f4ac3353b99be1a2da70579afff759c809fecc2

Download Submit
C:\Windows\TEMP\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_77c4256e-5f00-4cd3-aa22-5a9c389ab565\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/2760-0-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2760-1-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download