392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3

Analysis

max time kernel
120s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-10-2023 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
Size

1.5MB
MD5

56f5fc19dcac0ad3e025a1a70de8a134
SHA1

9074a465e9ecaea11e424169e73708618cdfc651
SHA256

392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3
SHA512

3dfc8369ae513affdf0c371340022183e360432b5de1e38a5904bc552e19e175e90c8861b45f9ba799d17ad31439dcd51fa0705dff892c74c617519ff2765e9a
SSDEEP

24576:NWFf9wwXe8UBH9iT6hbuZ3SuLCxfu4eyEMrOLabNZ5muy5Az6U4hfM1wWqJG3J:NQf9wwXe8eqLqflEM2ywC+U4hwuS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2504	µãÎ»Æ÷1.2.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
2504	µãÎ»Æ÷1.2.exe
2504	µãÎ»Æ÷1.2.exe
2504	µãÎ»Æ÷1.2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2560	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	29
PID 1368 wrote to memory of 2560	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	29
PID 1368 wrote to memory of 2560	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	29
PID 1368 wrote to memory of 2560	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	29
PID 1368 wrote to memory of 2504	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	31
PID 1368 wrote to memory of 2504	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	31
PID 1368 wrote to memory of 2504	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	31
PID 1368 wrote to memory of 2504	1368	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	31

C:\Users\Admin\AppData\Local\Temp\392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
"C:\Users\Admin\AppData\Local\Temp\392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\1696731769.zip
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
1KB

MD5
1ba04bdcb661cdd399f94c62e5bf9a48

SHA1
20ab80de61825c1004cb22d77a5dceb360d4516f

SHA256
baa71234d197059baa966cdcba90540128f408e7e65d9f3eb5efabb037360c0b

SHA512
41b208d79eebd14fcd0fc1a7489b2782569668606f3bb2114fda07cbbe1730fdf73131f734cf6ab8d56b697eb396579696d563f948a2cd5aae2b62657b99aca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_287BE23B7EA864C953D17EFAF5804874

Filesize
1KB

MD5
5a8d9f61219d909ccd7dfd4e96b3972d

SHA1
cf4330b47c5e69cac8114323fc36e50991be90c2

SHA256
1587238ec70b8b737480e75811a0036abb04fc9340531ad8558f4d884697b35d

SHA512
5a81de82247749c8ee715d5b1064ec0329f4fed088d2832ff143ea318ca012c19f55e208dc45f7829bf716013336a5baa9d4afdc495e8d2afdc8e1ddfd162632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
516B

MD5
fda35e975a849bed96fe46c4817ab451

SHA1
01a57f38d2c5f3991927ed5a73cb1160204c0556

SHA256
2fbeb040d7061015a7d4d7654a9adcaf9de1049936e145bb9c6cd5a085d1222a

SHA512
4fd535d8de75cd8d4584b1159fc26ab16952959ccfd87964ebd92d75a33802807650bf5d2e318268e2446d8c0ef9f4290e850abc282b5eb99f1cbd6fe0a3560f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_287BE23B7EA864C953D17EFAF5804874

Filesize
528B

MD5
8eb0add33cbcd1ec6cfbe9228d46ef65

SHA1
56f7228c9176bbe7823d7bfdfcfb16442795d552

SHA256
25830a17aad43becff6ce609707f0dbf06746481f3ffa46bf30e0ef2638c3b75

SHA512
6bf82d325e94770fdc78e30d84f849573b6c66cb31a92c7d3953148d166476c4cf8cd0512b993e45d5882d0f99619728da3a38d0304ed09aa103f899a58dfe3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ced706d36ccc6e818f8d94436fa92602

SHA1
2d39bbe0fc0e8068c84c60ba53b21ee261d6c323

SHA256
809c438c341c18cb7f1f74a64ce9b7c3dee2eec9b1efde6fc2802eeab38a3583

SHA512
dfdd019d8d55d779bff3681a1b466f8b397bd726ec4af20aba00a69dd9ec44e1ef8119e870c1cd5bf4c691b57a0c563b3f048d0a4ebe5d35507c27827dc2258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab932B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GGULNEJR.txt

Filesize
138B

MD5
b2b05fb29805912026c808dabb55749e

SHA1
1aec43c171b03a17dede7f298cfba80dbdfecabf

SHA256
8ce82b00417b0f8d25b8be1f762e29042aa7c81b865b5a746215003fea5bb3b6

SHA512
6683d6dd8b83e3588aea92fabd6217c79119544d9e5643fb9b3e9c3198c1e08f0d43c2b05acfc5cca355bc9122895dea6e34144ef7e91b53a9c17ba8ac8434a3

Download Submit
\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
memory/1368-33-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1368-0-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2504-31-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download