fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
Size

508KB
MD5

38d29433e944ba129fa1457c564ddfaf
SHA1

77b33b7ad847ea6d1405c7909a2ce7bcba132f3d
SHA256

fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e
SHA512

08312449987c0fa3f5ac68fc0779763f6bc8932a5037d572d440a935ef037eddd8027000c41c2153fb146a4e5241b32e1bc44a80e3792a005023388d2529bf4b
SSDEEP

6144:vW0J07EHxsWKKCbrZXDbI33z5P/kjguInr39tAOLPvI1ILz:O4CWKKCrZTGF/k8uMxtxPvvz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1028	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tkjsidfsd	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1028	2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	30
PID 2224 wrote to memory of 1028	2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	30
PID 2224 wrote to memory of 1028	2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	30
PID 2224 wrote to memory of 1028	2224	fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe	30

C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe
"C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\fc4773340ba2ae53e0b8e88ea9b84b7f749d8c205bb39478d266a5e3f254493e.exe"
  2⤵
  - Deletes itself
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tkjsidfsd

Filesize
48B

MD5
57607e13338947f3b8cfd2313007a5d5

SHA1
7d342df8a4c95b62b345f10245c98aa85e96a9d7

SHA256
11376cd62b04c22fd8ef61e677b1b4cd2a4e4a2b5249b379f2f4af90d55d363d

SHA512
2654d749227e46bbb3d93df630a7c81f9cda54b3e378d56c0af7d8317831e31a23c17e3ceb3ff1820eac3dd03a968c657e6d97ce7ce1c34c561c87968be54a07

Download Submit
C:\Windows\tkjsidfsd

Filesize
118B

MD5
84f44d213fdf9cf5848ed781b94a0e00

SHA1
8528e948e8fbb0171e6bf9d55f9a7356a12fb1f9

SHA256
93d8368c91697272d899be1a0f5ab34a172b8d98dc7381e610be02fbc46edc89

SHA512
f944bcc0a4a1d7f9c3594228e2c9caa15f5217e16352f797052f1c0969c0b4d5ce1b999b9657bc561fc03680417eda54be177668d5599f5aaf031d0bba26f172

Download Submit