84d4c0a0dc85b3fda3056a23bf3cf007e7d14f7676f26a3251a71ec71df87a2c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aa17542acdc1e76b4e2b9491b12bb95.exe
Size

2.7MB
MD5

0aa17542acdc1e76b4e2b9491b12bb95
SHA1

7d4a24876e189beaa7aff0e87dfe43309fd8d23f
SHA256

84d4c0a0dc85b3fda3056a23bf3cf007e7d14f7676f26a3251a71ec71df87a2c
SHA512

d4b5c94eb46c22a3e2155f289e04c238dcc6da25e8270f3fb1bf6142a1b1dbf2220431caba613af523ab7e2cfe82d545389548b9f85205e061ecf325234cb8ef
SSDEEP

49152:bFbz2QXIDgdSsB7F21DpbbBR6KNSoYkrnHWVoFhu1XGgXs4bx0lUZc:bFP2QXIMh3oph0K+kLWoFhu1Wg84beUm

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 1792 wrote to memory of 2808	1792	0aa17542acdc1e76b4e2b9491b12bb95.exe	28
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2572	2808	cmd.exe	30
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2296	2808	cmd.exe	31
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2692	2808	cmd.exe	32
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33
PID 2808 wrote to memory of 2728	2808	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0aa17542acdc1e76b4e2b9491b12bb95.exe
"C:\Users\Admin\AppData\Local\Temp\0aa17542acdc1e76b4e2b9491b12bb95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ejecutame.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s c:\tlmp\g0.pf 2>nul
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s f:\tlmp\g0.pf 2>nul
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s c:\tlmp\g0.pf 2>nul
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir/b/s f:\tlmp\g0.pf 2>nul
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\_ejecutame.bat

Filesize
3KB

MD5
003462ada14f46566e014e87e7248b4b

SHA1
0f7e40c57d8d6f1923b828dc8459b464a361e622

SHA256
9be0740333aace4aceb1a6f84c78468affd6889c9d61bd428d34db26e80c8fd5

SHA512
6463a000d2f6f1fe8b609cc1f83b724a5fce4d5016bcd3b79660cf32c37c62c845c2125597c02f95c49fdcefe1d3ca486e0def46efbdbe74c0d88bf1481e72ba

Download Submit