e583519ef700454b6bea18bf45062787e92ab2643dc28050f390f184ece04add

General

Target

villa-RE/villa-rechnung.url
Size

169B
MD5

cb8afd706883ce927dc83f034986e2dc
SHA1

3d85aed17a6a9337536cedafc0f966040ea94770
SHA256

038c96a02627b159cf27cf05c2925750ba4c4135c03e4f564fc41ddf7cd5bdd2
SHA512

71cada2a23e153c6306b78985fcbf4e4a49e7d87c9b1ddda80958ebfcc16489cfead9c16ab8a4f7de78ee28207079b0c060c4db21c98c3248cf708e4a75af092

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	msdt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2300	1968	rundll32.exe	31
PID 1968 wrote to memory of 2300	1968	rundll32.exe	31
PID 1968 wrote to memory of 2300	1968	rundll32.exe	31
PID 2300 wrote to memory of 2464	2300	rundll32.exe	32
PID 2300 wrote to memory of 2464	2300	rundll32.exe	32
PID 2300 wrote to memory of 2464	2300	rundll32.exe	32

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\villa-RE\villa-rechnung.url
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDF8575.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF8575.tmp -ep NetworkDiagnosticsSharing
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2464

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024123012.000\NetworkDiagnostics.0.debugreport.xml

Filesize
64KB

MD5
6034e3231f6f89fda2581274ac9b04dd

SHA1
e34308a1498dade0df7eb3fb9e44ed5c11f95b26

SHA256
85ede1098a19401f614effa5692366c748575ca5d9f9aedc1a5235e414f65ae4

SHA512
67a01a7d33683c350a5a1f949b22fe19ce43d29eb587f1fdfbab6d197f5a9121ea4ea2ce1d653074a69e45195377b9a0f945f352f4304858e99a540f47177405

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF8575.tmp

Filesize
2KB

MD5
7f63940274cf6c3286fbd7f510f00e60

SHA1
61a57f60bbfdde3d8a867ac11a5a1ec1a18e2090

SHA256
68e69d8df3227e7dc163b475b40fec114a2f1db2b6bba5719f05505e70e79771

SHA512
bf60f846c89963a625d0509a4bfcc2bec0b00ec543afaab3d1e92ca1b03e47c9984600f3f33945f59bfa839203c5bac4b8ebf2d4f50d1ea76868a62dcfc16edb

Download Submit
C:\Windows\TEMP\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_8da43bb3-ef77-43cf-9d43-7e4fbc88b339\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/1968-0-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing