79c3f05190e4b8302c1da7b5846212626cbc65be0edb350e3527f228a31b381d

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

4.0MB
MD5

2a59f30bf734f7b28957283ad7664b3a
SHA1

30f3a26b1c89a5f611218818ebed5a5e6ca430dd
SHA256

79c3f05190e4b8302c1da7b5846212626cbc65be0edb350e3527f228a31b381d
SHA512

ee5be16c00de8377b52113c611e83761171b50a11d5eb1cb38aac810bf9fbc65472819893f81eba3b5402b78a7c86bbdf324afb474d18b7e43bad8f2871f1864
SSDEEP

98304:/eILxboq21mfswe61gB8vYanB1jL9Q1xQZhCqkO:JxboqUMswNnfxQ7ohCq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1752	main2.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	svchost.exe
1752	main2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1752	2328	svchost.exe	28
PID 2328 wrote to memory of 1752	2328	svchost.exe	28
PID 2328 wrote to memory of 1752	2328	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\onefile_2328_133372804906944000\main2.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2328_133372804906944000\main2.exe

Filesize
6.4MB

MD5
51c36e70ac834f19155a4401c977078c

SHA1
c443982a316cc5ea6301ff107667c0df70e9371e

SHA256
8e166ac5dc50064ff6c75e176d1a946baa4c0e9ea878a538ea1125378858faee

SHA512
5f4af57428b74efa3379e265791cd83cefd20620377200bfff3b013298e2cdc65b371ae6ff73bf6e301549def09fa3694c188d4bf1b7b734f02e58f7459e9c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2328_133372804906944000\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2328_133372804906944000\main2.exe

Filesize
6.4MB

MD5
51c36e70ac834f19155a4401c977078c

SHA1
c443982a316cc5ea6301ff107667c0df70e9371e

SHA256
8e166ac5dc50064ff6c75e176d1a946baa4c0e9ea878a538ea1125378858faee

SHA512
5f4af57428b74efa3379e265791cd83cefd20620377200bfff3b013298e2cdc65b371ae6ff73bf6e301549def09fa3694c188d4bf1b7b734f02e58f7459e9c6f

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2328_133372804906944000\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
memory/2328-12-0x000000013F860000-0x000000013FC72000-memory.dmp

Filesize
4.1MB

Download