d94e3a642efb639edc26ab38e245071b21a37e22e7deb4c640922c904d120e79

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ae5736190f0c7dabd1817050402da0.exe
Size

92KB
MD5

74ae5736190f0c7dabd1817050402da0
SHA1

72d09f73fce069811d8e4216da72f59efc95d7a0
SHA256

d94e3a642efb639edc26ab38e245071b21a37e22e7deb4c640922c904d120e79
SHA512

ce42ea663ab49b4c6d95646652e1cf426ef998dee18db4c7db4e745dfdebbbec61341a11ca8509173b21a70e2f50974e96fd378b82ee8626a2417e9d02556a4f
SSDEEP

1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxy4OV:fq6+ouCpk2mpcWJ0r+QNTBfzM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2264	2344	74ae5736190f0c7dabd1817050402da0.exe	28
PID 2344 wrote to memory of 2264	2344	74ae5736190f0c7dabd1817050402da0.exe	28
PID 2344 wrote to memory of 2264	2344	74ae5736190f0c7dabd1817050402da0.exe	28
PID 2344 wrote to memory of 2264	2344	74ae5736190f0c7dabd1817050402da0.exe	28
PID 2264 wrote to memory of 2700	2264	cmd.exe	30
PID 2264 wrote to memory of 2700	2264	cmd.exe	30
PID 2264 wrote to memory of 2700	2264	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\74ae5736190f0c7dabd1817050402da0.exe
"C:\Users\Admin\AppData\Local\Temp\74ae5736190f0c7dabd1817050402da0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5283.tmp\5284.tmp\5285.bat C:\Users\Admin\AppData\Local\Temp\74ae5736190f0c7dabd1817050402da0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\hid.sed
    3⤵
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5283.tmp\5284.tmp\5285.bat

Filesize
1KB

MD5
da9a8db30b2193eb306fd377ddc09822

SHA1
2b14a8683d1faca6bd607d0ae398cb95c36ab6f5

SHA256
9a36afba88e927c8bb2a67791db72d7575c9b89639e7b5e265b49b965d1fa34f

SHA512
2055ae22207643f89e211db4272a7c8ef559535f8c5566098cceb0f05eaddf1f0a9e93f94b38885e10b715abae17ae33855b8dbbcc19a3c3db9aecda51ca5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.sed

Filesize
92KB

MD5
d463241307854afeab478d3167b2f418

SHA1
f88e0dcd3af8c83c73669f1304a087c35546ca14

SHA256
12229d7fd3880c86f84c8bdbbd9afcbe06562e9a43e5888beddb84f843f78bb2

SHA512
f9fbba5414efda8888772e69e4951d5942ed3d0e3f1b4edcd6d08f335d5e76e89731edd506f19878f1e91407601d1abe172a05958aa8d0e5619a8b2d0537ed18

Download Submit