Overview

overview

7

Static

static

3

3dbefb652f...0d.exe

windows7-x64

3

3dbefb652f...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dbefb652fe72ff1db96deb50aa8090d.exe

  • Size

    123KB

  • MD5

    3dbefb652fe72ff1db96deb50aa8090d

  • SHA1

    4f824e8db198c4e46e5d1a47316dfd92d5b94366

  • SHA256

    cd185a5ee5c24cd9a733e975b4e257d1f74b927f344daaac80b21075c86ae766

  • SHA512

    7e688aeed6beedc5285e036edfdb0a38d5accaad551c8f045ea423245aeea88a0417f5784daf466b3896dc8fe51b607be96b18ebf1ac88095f751d7b67f14893

  • SSDEEP

    3072:Hq8f/oic1i9uTAlPQSDwEyWefHEvGdxETCpPJ:K8f/U1iF/sUGdxET

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dbefb652fe72ff1db96deb50aa8090d.exe
    "C:\Users\Admin\AppData\Local\Temp\3dbefb652fe72ff1db96deb50aa8090d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\lwhA417.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\3dbefb652fe72ff1db96deb50aa8090d.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\3dbefb652fe72ff1db96deb50aa8090d.exe"
        3⤵
        • Views/modifies file attributes
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\lwhA417.tmp.bat
    Filesize

    57B

    MD5

    fd647c2d492546ee0b16d1b2df53dbeb

    SHA1

    c9b65b3ce20af7f4ccbf420154e2af5cf981d970

    SHA256

    ae38c2205332310e813bab68dc0e858314537c78d36084c4db22e906d0c9b997

    SHA512

    63b7a4e91733cf267c54087133bac9cc469cb1262fc2697c8ae8c69cb737b7ad4ce62eba7ab46c013771f2776937a9694858871545489ccec62d08c36977e1f5

    Download Submit

  • memory/2140-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2140-16-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download