7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946

Analysis

max time kernel
156s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
Size

9.9MB
MD5

dffda1f2f2fa1dd3f3f7cf229d2c68ec
SHA1

598d1cea90ce711e3599dd658b815acc45c90db8
SHA256

7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946
SHA512

97b8f5f490ec714334ea91de5c82851254540ff3f953bd02ff792e61b2c319e2c194217044e0002adc8f0445d0675cbc952c46063815c16fb721cc429508356c
SSDEEP

196608:mGsAZ55zJxraS4BU5TP1J67qSo2YoeEWkzNMe/Xyb5eck5aQ:m5K51rhsU5ZJO9o2reVlAcu5

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\K:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\Y:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\G:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\E:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\B:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\L:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\M:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\P:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\Q:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\V:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\W:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\X:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\H:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\Z:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\I:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\N:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\O:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\R:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\S:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\T:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\U:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
File opened (read-only)	\??\A:	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28
PID 2628 wrote to memory of 2592	2628	7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe	28

C:\Users\Admin\AppData\Local\Temp\7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
"C:\Users\Admin\AppData\Local\Temp\7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe
  "C:\Users\Admin\AppData\Local\Temp\7085ff0400fbaac9f9dc11a4c1577861a5944f001395da1f8cb69ccf1ac55946.exe"
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2592-35-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-18-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-57-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-56-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-7-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-55-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-9-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-54-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-13-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-14-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-15-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-17-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-34-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2592-19-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-20-0x00000000015D0000-0x0000000001DC7000-memory.dmp

Filesize
8.0MB

Download
memory/2592-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2592-23-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-53-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-52-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2592-27-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-28-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-32-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2592-51-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-49-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-39-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-36-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

Filesize
4KB

Download
memory/2592-33-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2592-31-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-30-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2592-38-0x0000000001EF0000-0x0000000001EF3000-memory.dmp

Filesize
12KB

Download
memory/2592-37-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2592-41-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-43-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2592-42-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2592-45-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-47-0x0000000000400000-0x0000000000C1D000-memory.dmp

Filesize
8.1MB

Download
memory/2592-48-0x0000000001330000-0x00000000015C3000-memory.dmp

Filesize
2.6MB

Download
memory/2592-50-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2628-0-0x0000000000400000-0x000000000132E000-memory.dmp

Filesize
15.2MB

Download
memory/2628-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2628-25-0x0000000010000000-0x00000000108FE000-memory.dmp

Filesize
9.0MB

Download
memory/2628-24-0x0000000000400000-0x000000000132E000-memory.dmp

Filesize
15.2MB

Download
memory/2628-11-0x0000000010000000-0x00000000108FE000-memory.dmp

Filesize
9.0MB

Download
memory/2628-10-0x0000000005950000-0x000000000687E000-memory.dmp

Filesize
15.2MB

Download
memory/2628-4-0x0000000010000000-0x00000000108FE000-memory.dmp

Filesize
9.0MB

Download
memory/2628-3-0x0000000010000000-0x00000000108FE000-memory.dmp

Filesize
9.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads