f662bea34a17022ed6148cf20ebb98b4e5c54b731371062ffc8d6c9620f8b492

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/11/2023, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1f72853cbe4fe8c8609233ddce9fb7a.exe
Size

11.1MB
MD5

d1f72853cbe4fe8c8609233ddce9fb7a
SHA1

69b08bd8678ddc66b63ef7ff842dcd06057cd815
SHA256

f662bea34a17022ed6148cf20ebb98b4e5c54b731371062ffc8d6c9620f8b492
SHA512

1b1eba07777cf13b9cc9f1b03746e0b4086c553d94c9e67edb0576568dfab80d448307f9011d67d4d0e628640dc6fd23f8596c325b901fcf2704a352bf9484ee
SSDEEP

196608:lEdfrwaESY64H4oPqOtOvYFQfWo7Ozpj0vw72Yv1JpYt3rOs5BkJN5wwGjju8tIE:GFrHF4ZDwvYqfWoOzp32YPgbOzGfu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	BP1_WW2_64.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	d1f72853cbe4fe8c8609233ddce9fb7a.exe
2248	BP1_WW2_64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2248	3012	d1f72853cbe4fe8c8609233ddce9fb7a.exe	28
PID 3012 wrote to memory of 2248	3012	d1f72853cbe4fe8c8609233ddce9fb7a.exe	28
PID 3012 wrote to memory of 2248	3012	d1f72853cbe4fe8c8609233ddce9fb7a.exe	28

C:\Users\Admin\AppData\Local\Temp\d1f72853cbe4fe8c8609233ddce9fb7a.exe
"C:\Users\Admin\AppData\Local\Temp\d1f72853cbe4fe8c8609233ddce9fb7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\onefile_3012_133456151769924000\BP1_WW2_64.exe
  "C:\Users\Admin\AppData\Local\Temp\d1f72853cbe4fe8c8609233ddce9fb7a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_3012_133456151769924000\BP1_WW2_64.exe

Filesize
13.5MB

MD5
3557fcd1f962a92b9da41dfc3ee73ed6

SHA1
6798f056f572fa3c03c826a8dd358a9f4949c554

SHA256
235c714e05be2544ec08b99531ce27d9c263bd602312c201d268696a8626e73c

SHA512
445bb78dc3bc6f4b8c2f3a35ef067f2a4d50e97fbd6a98bb7c81facb18598a5d69331419233fd41aaf5c928f904c8c172db0984c8af7f4443f9205ccbd8e2550

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3012_133456151769924000\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3012_133456151769924000\BP1_WW2_64.exe

Filesize
13.5MB

MD5
3557fcd1f962a92b9da41dfc3ee73ed6

SHA1
6798f056f572fa3c03c826a8dd358a9f4949c554

SHA256
235c714e05be2544ec08b99531ce27d9c263bd602312c201d268696a8626e73c

SHA512
445bb78dc3bc6f4b8c2f3a35ef067f2a4d50e97fbd6a98bb7c81facb18598a5d69331419233fd41aaf5c928f904c8c172db0984c8af7f4443f9205ccbd8e2550

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3012_133456151769924000\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
memory/3012-0-0x000000013FA00000-0x0000000140F8C000-memory.dmp

Filesize
21.5MB

Download