b6e049e8d3290c1c025755890cd2069129ecd2acb20ed526a99f5a9df5270a7b

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfc4e9da3ba87f_JC.exe
Size

33KB
MD5

dfc4e9da3ba87f6306c4cb45fbad2fab
SHA1

6251f7ffd8730f8dc62efcac04381d2f54167d25
SHA256

b6e049e8d3290c1c025755890cd2069129ecd2acb20ed526a99f5a9df5270a7b
SHA512

f4605ffa060e827fdfbf715d78162f0d91cd4774e047e76eb9fbe457cfc5d1930554c284175e0e7db55c1e384620f01f010d99e4928b7fecd46165bf7d2d74fa
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoi0Win1oRIwMVmaz3yHUT:b7o/2n1TCraU6GD1a4X0WcO+wMVm+CUT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2948	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	dfc4e9da3ba87f_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3040	dfc4e9da3ba87f_JC.exe
2948	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2948	3040	dfc4e9da3ba87f_JC.exe	28
PID 3040 wrote to memory of 2948	3040	dfc4e9da3ba87f_JC.exe	28
PID 3040 wrote to memory of 2948	3040	dfc4e9da3ba87f_JC.exe	28
PID 3040 wrote to memory of 2948	3040	dfc4e9da3ba87f_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\dfc4e9da3ba87f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dfc4e9da3ba87f_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
33KB

MD5
8b62343c2ec1d076a7f669279bced58e

SHA1
4fac67458e91b7e564c937a908c0e31eada2ebcf

SHA256
1aa7b8b8d2a13d595d79c55e1ed5bc0a888a05de7371eacc6121dba5d7917975

SHA512
552d0896f02f81c10bce0d874e588cefc9a1f3f9094d005da902ed0ec6185fcb1d5bdddda163bca0e925bcfa97c3fd23e8a96642a40b9c7fd662936fe79ce83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
33KB

MD5
8b62343c2ec1d076a7f669279bced58e

SHA1
4fac67458e91b7e564c937a908c0e31eada2ebcf

SHA256
1aa7b8b8d2a13d595d79c55e1ed5bc0a888a05de7371eacc6121dba5d7917975

SHA512
552d0896f02f81c10bce0d874e588cefc9a1f3f9094d005da902ed0ec6185fcb1d5bdddda163bca0e925bcfa97c3fd23e8a96642a40b9c7fd662936fe79ce83d

Download Submit
\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
33KB

MD5
8b62343c2ec1d076a7f669279bced58e

SHA1
4fac67458e91b7e564c937a908c0e31eada2ebcf

SHA256
1aa7b8b8d2a13d595d79c55e1ed5bc0a888a05de7371eacc6121dba5d7917975

SHA512
552d0896f02f81c10bce0d874e588cefc9a1f3f9094d005da902ed0ec6185fcb1d5bdddda163bca0e925bcfa97c3fd23e8a96642a40b9c7fd662936fe79ce83d

Download Submit
memory/2948-69-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/3040-53-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/3040-55-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/3040-54-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download