cfe701c32299a1a659abdfedd357926875310233e22b02eb59fb224c89fe4d8a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed4c76010c938c38ad503c552fcde97.exe
Size

134KB
MD5

1ed4c76010c938c38ad503c552fcde97
SHA1

ba6701add4a0cb103978a8877bff2dbdc2355e08
SHA256

cfe701c32299a1a659abdfedd357926875310233e22b02eb59fb224c89fe4d8a
SHA512

1ae624c7658af8536f1f1a115e05d08a10b9c2aa817f3dc6f39d716496f1848cdef3f502e6bbd70b5cfc4d5f4471a8271f6cd48df5fe7c8ed72cfd823d455575
SSDEEP

1536:8QTpallndzt8usk8Ih5t2d/r1h0HdUye8S3IHhgHKmmMaTKhJ1tujsk8nauWf7Sm:8QollZEpI52d/pKHdR7a+Q389jDU5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	MicroS0FT.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe
File opened for modification	C:\Windows\SysWOW64\system_ylmy.exe	MicroS0FT.exe
File created	C:\Windows\SysWOW64\kill.bat	MicroS0FT.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\MicroS0FT.exe	1ed4c76010c938c38ad503c552fcde97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1056	1ed4c76010c938c38ad503c552fcde97.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	MicroS0FT.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2204	1056	1ed4c76010c938c38ad503c552fcde97.exe	30
PID 1056 wrote to memory of 2204	1056	1ed4c76010c938c38ad503c552fcde97.exe	30
PID 1056 wrote to memory of 2204	1056	1ed4c76010c938c38ad503c552fcde97.exe	30
PID 1056 wrote to memory of 2204	1056	1ed4c76010c938c38ad503c552fcde97.exe	30
PID 2204 wrote to memory of 2420	2204	MicroS0FT.exe	29
PID 2204 wrote to memory of 2420	2204	MicroS0FT.exe	29
PID 2204 wrote to memory of 2420	2204	MicroS0FT.exe	29
PID 2204 wrote to memory of 2420	2204	MicroS0FT.exe	29

C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\MicroS0FT.exe
  "C:\Windows\MicroS0FT.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\system32\kill.bat""
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MicroS0FT.exe

Filesize
87KB

MD5
cc84c26d487670f7d7066da145a274c0

SHA1
df266cbe2cb56925d8ea495d5846290bbc021caf

SHA256
b9f11225cd17196d6b232c303379c0ae417b17d70d4305a3f3cf2913606d07a1

SHA512
c8e96c76e40ddd45730f7b11281ded0568c79d805ab86b3d7ce3301c0d33fcbd817e922c33c13999bafcf0eb98492022bff366ddb18ebad5180fa1fbefbac095

Download Submit
C:\Windows\MicroS0FT.exe

Filesize
18KB

MD5
023edae4e68f376868459883a869a5ba

SHA1
24541b91be8c861c0eee68f7df09e3e5e37ec1d8

SHA256
bacc5f7d63aeae2a085e2336f75389c064fb982e9d81ecf938ab99169e19052e

SHA512
2bf69275e1f3edd2a834ad43622110aec0d78349947d246d556fce7a64d4d0bbf389ab9cab47ea789bf04e88f2c784062ee934a25b1ac4d45ad7a81dd7b97e8e

Download Submit