Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
25/08/2023, 07:41
General
-
Target
fa39a250f691d200500b5ff76de38cd4e4be195368536be053e35ef8fbc90e8c.exe
-
Size
197KB
-
MD5
739ea923117d77a9bb76701cda94461b
-
SHA1
bb56112b36f77827545d770f844433588bd514bd
-
SHA256
fa39a250f691d200500b5ff76de38cd4e4be195368536be053e35ef8fbc90e8c
-
SHA512
351332a19bff9842ea2addb58493f3b4bd41b1b25f8b9227f41124418edc5d316b5e85505b85302a5e8372341c1654bec1c910cac65267b2daabe346a6271358
-
SSDEEP
6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO2:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXn
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39a250f691d200500b5ff76de38cd4e4be195368536be053e35ef8fbc90e8c.exe"C:\Users\Admin\AppData\Local\Temp\fa39a250f691d200500b5ff76de38cd4e4be195368536be053e35ef8fbc90e8c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FA39A2~1.EXE > nul2⤵
- Deletes itself
-
-
C:\Windows\Debug\rwmhost.exeC:\Windows\Debug\rwmhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD51c2d7fd7e7a4ab9a1da90c4933401fce
SHA17eac5657bbac852928224d1e0eef2003d2cf24e2
SHA2563f91368ed7a90d193a0fe3d1867e253c8559cb828160c03037c665db0f367f0e
SHA512c5738dd532049ee98617b8aff8124f7e91394d0f49a32b13252bd52a06d1f2276d8809c0addbf51e0073b44c784addead6bc001c95992db0776048b5ad0308f0