Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 13:11
Static task
static1
Behavioral task
behavioral1
Sample
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe
Resource
win10v2004-20230915-en
General
-
Target
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe
-
Size
14.9MB
-
MD5
10b4cfacf3858b5bdf6e7ff2ff0547f5
-
SHA1
aa0db660f4dec57b3ca7af476c017bc1c0aa6b6a
-
SHA256
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf
-
SHA512
97e62d321b6403b8908d5477d52de8c6fc6aff96fd32ac6538f5fbafd40aea6ca9457d5d7f580247f99b5052136daf4b5732e46294a9974ed1723e6a36629ab7
-
SSDEEP
196608:jBrEhru89gJ7nFN/p0GweI4YulSbCn52vTFrbZcPVlXFbdKdfMBfimGnPqisGd3u:jpDfJ7BmetYtbC0xrbS3XFZKxHPrsH
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exepid process 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exedescription pid process target process PID 2256 wrote to memory of 4148 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe PID 2256 wrote to memory of 4148 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe PID 2256 wrote to memory of 4148 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe PID 2256 wrote to memory of 3448 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe PID 2256 wrote to memory of 3448 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe PID 2256 wrote to memory of 3448 2256 850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe"C:\Users\Admin\AppData\Local\Temp\850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\*f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exe"2⤵PID:4148
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"2⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\850f33436f1a648f075acf0b9e7e3439f0a4a88cee95e5b20f939fa2ef5477bf.exepack.tmpFilesize
2KB
MD53722f3b215466722e65f5f3e626d9c71
SHA1d7e9d9c0dd20c8c78fbb13b435b69674fbca5bf8
SHA25620ebfcad104323d6b0c53d9164e300b25c2013c1d81b4280e5c27d6ebbc9f6bd
SHA512051bc802d35ad63ba61d5a920618c1363d878b8a43a7396cccf0071634eb8a2781ac456a280c90e29b85ea2a2c5da93cd545676b893c046735803033d02a55a2
-
C:\Users\Admin\AppData\Local\Temp\b4155fa9ba44d0fa6a1e39c015029661.iniFilesize
1KB
MD5cc92442b2ff4ce656315fd10a64a78fa
SHA1d3cbaf6cc2930cbd6739cd021aaee91d5af7ba12
SHA256206cf9f3f5c24fbefa6d76e402237a9324ff236fc25c6fcdfe28392f464fd60b
SHA5127b68cfe376beb1d31f5638ebc92e10d49a8a7d07a016f1d9d554a4a0527ed5ca21dfe0e4ee177aa48198e8e4d8c841bda73985e0d28f5f016260081894c4c57b
-
C:\Users\Admin\AppData\Local\Temp\b4155fa9ba44d0fa6a1e39c015029661A.iniFilesize
1KB
MD54858acaa42ecc3adf2891c196203d6e5
SHA13a2ed02e4a6768386bc360cc9edef9bdf4542961
SHA256399586cb283f2d6b426d6c0fa9d91d7604b1363a0d8960b9bece407ff7a49c17
SHA51245d3afd9726ed63bd05543de81b1514719628d176753e972d4bddbdfedf95828d512e566944f321cef230e610d6478b1f8b09d3169ea2fd2186bd5aebb3cef45
-
memory/2256-0-0x0000000000400000-0x0000000001F00000-memory.dmpFilesize
27.0MB
-
memory/2256-1-0x0000000002660000-0x0000000002663000-memory.dmpFilesize
12KB
-
memory/2256-2-0x0000000000400000-0x0000000001F00000-memory.dmpFilesize
27.0MB
-
memory/2256-5-0x0000000050000000-0x0000000050109000-memory.dmpFilesize
1.0MB
-
memory/2256-346-0x0000000000400000-0x0000000001F00000-memory.dmpFilesize
27.0MB
-
memory/2256-351-0x0000000002660000-0x0000000002663000-memory.dmpFilesize
12KB
-
memory/2256-352-0x0000000050000000-0x0000000050109000-memory.dmpFilesize
1.0MB
-
memory/2256-353-0x0000000000400000-0x0000000001F00000-memory.dmpFilesize
27.0MB