cfb3c948d496397fe436f6f636ca324cc778af796b8664d91f63904a9ed132b0

Analysis

max time kernel
10s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FAKEFLASHTEST.exe
Size

144KB
MD5

626ec93b727b3b84a7244185eb34a221
SHA1

afbf781783e73ffdd3110dc9ca60c3a0f3d75c77
SHA256

cfb3c948d496397fe436f6f636ca324cc778af796b8664d91f63904a9ed132b0
SHA512

7cd973a87a365ac9980047a7b42835bea00dcdd7632ab8571733a6a1b59c8b50c9000d8bb44d92f4db91551148a4e0e7b1068177816fd8f72603e4dd2b6a59ca
SSDEEP

3072:pIpzmXXghCbwtrh21FFauAgyV5+lI1/IfpZDh5fEDDGpytZxNaGpy7vjyBF:p6yXYCbarh21MgyV5+lI1/IfpZDh58DB

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	FAKEFLASHTEST.exe
File opened (read-only)	\??\D:	FAKEFLASHTEST.exe
File opened (read-only)	\??\H:	FAKEFLASHTEST.exe
File opened (read-only)	\??\I:	FAKEFLASHTEST.exe
File opened (read-only)	\??\J:	FAKEFLASHTEST.exe
File opened (read-only)	\??\L:	FAKEFLASHTEST.exe
File opened (read-only)	\??\M:	FAKEFLASHTEST.exe
File opened (read-only)	\??\S:	FAKEFLASHTEST.exe
File opened (read-only)	\??\U:	FAKEFLASHTEST.exe
File opened (read-only)	\??\E:	FAKEFLASHTEST.exe
File opened (read-only)	\??\K:	FAKEFLASHTEST.exe
File opened (read-only)	\??\N:	FAKEFLASHTEST.exe
File opened (read-only)	\??\O:	FAKEFLASHTEST.exe
File opened (read-only)	\??\Q:	FAKEFLASHTEST.exe
File opened (read-only)	\??\R:	FAKEFLASHTEST.exe
File opened (read-only)	\??\T:	FAKEFLASHTEST.exe
File opened (read-only)	\??\Y:	FAKEFLASHTEST.exe
File opened (read-only)	\??\G:	FAKEFLASHTEST.exe
File opened (read-only)	\??\P:	FAKEFLASHTEST.exe
File opened (read-only)	\??\W:	FAKEFLASHTEST.exe
File opened (read-only)	\??\X:	FAKEFLASHTEST.exe
File opened (read-only)	\??\F:	FAKEFLASHTEST.exe
File opened (read-only)	\??\Z:	FAKEFLASHTEST.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	FAKEFLASHTEST.exe

C:\Users\Admin\AppData\Local\Temp\FAKEFLASHTEST.exe
"C:\Users\Admin\AppData\Local\Temp\FAKEFLASHTEST.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads