95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe
Size

13.8MB
MD5

e658362728aa344021c21663491fd38b
SHA1

3246d99563cabd12e6b509124029b5a474fe50c0
SHA256

95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659
SHA512

24b43b7dc46d683b0cdf6542f404c89b199e0f51e465e1e6e25117863cb2f907a6639ed6f95a80bcb9c56871dc4da99688573c4db7783ba9ad87cc82a58986ac
SSDEEP

393216:aysSKFHl4H+5LBX+YMfSROa75dU69mPQt8vSH6Mle:dst4H+5VNm8/U6cPQtU43e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1452	95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1452	95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2056	1452	95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe	83
PID 1452 wrote to memory of 2056	1452	95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe	83
PID 1452 wrote to memory of 2056	1452	95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe	83

C:\Users\Admin\AppData\Local\Temp\95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe
"C:\Users\Admin\AppData\Local\Temp\95da1b8898a61d6185f11dc1a3ef0ca452542b298b0a7ecc1b064be8e9e61659.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b C:\Users\Admin\AppData\Local\Temp\ÒüÈñÖÇCvvt6422.exe + C:\Users\Admin\AppData\Local\Temp\ÐÞ¸ÄÓÃ.txt C:\Users\Admin\AppData\Local\Temp\ÒüÈñÖÇCvvt6422.exe
  2⤵
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÐÞ¸ÄÓÃ.txt

Filesize
3B

MD5
788d986905533aba051261497ecffcbb

SHA1
e1c1bfebab6bf67d6a890159995b9edf156ac725

SHA256
d536a8c1664fec0bc85615cf3cb2645871e8b2935c9642c534c67ac85315cd35

SHA512
40c891261757c6af7ff533e4f0e15a8369ebb182a268d9282ebfe82dc10cb9ac8b384dbbb247781ecbf2eab757dab2f0fe91029cf3657cfbd91a6830d908d920

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÒüÈñÖÇCvvt6422.exe

Filesize
13.8MB

MD5
7e635501e860c029ca8211d069af3848

SHA1
4c4afcf7e67240498fd045eb251cb7ee607abceb

SHA256
925530721717002978bed8dcf0a6c38d813d353a9c65d8551c26ee280078c918

SHA512
5e82d344488016bfe37c80fd94e711fc3c07c04f9038d4c137429723c598752a1492d0115f328bffe8c71b6c4d1dae55475d5bc8f98c980133cb23819cebaad7

Download Submit
memory/1452-133-0x0000000000400000-0x0000000001A5A000-memory.dmp

Filesize
22.4MB

Download
memory/1452-134-0x0000000006FC0000-0x000000000715F000-memory.dmp

Filesize
1.6MB

Download
memory/1452-141-0x0000000000400000-0x0000000001A5A000-memory.dmp

Filesize
22.4MB

Download
memory/1452-142-0x0000000006FC0000-0x000000000715F000-memory.dmp

Filesize
1.6MB

Download