6c3b6deb520c98c0efa7968bbec15cd1fb7a60c09f00503d025c97bc0116ca5e

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b1a115d197506fe367806281b279dc6.exe
Size

703KB
MD5

1b1a115d197506fe367806281b279dc6
SHA1

6c920e35404e12a9b94fdf28d4b8dc692f843fa7
SHA256

6c3b6deb520c98c0efa7968bbec15cd1fb7a60c09f00503d025c97bc0116ca5e
SHA512

22e3b94ff360592625118f94c94df4d37080a0dbbc0f30e27578b6d0b237ac6c9a6bd3cc6a269c195a390320dbe35d1e4f4ef946c5c7847cd368ea07fcdc4aa3
SSDEEP

12288:JDs5xGSWm2AxYi87eTQeOfP6QF8F2Dy7P8F0jpX5zE9r0v1Mkcsf:e5dxTQpTf

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\NIC Drive = "C:\\Users\\Admin\\AppData\\Local\\Postman\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2680	1732	1b1a115d197506fe367806281b279dc6.exe	31
PID 1732 wrote to memory of 2680	1732	1b1a115d197506fe367806281b279dc6.exe	31
PID 1732 wrote to memory of 2680	1732	1b1a115d197506fe367806281b279dc6.exe	31
PID 1732 wrote to memory of 2680	1732	1b1a115d197506fe367806281b279dc6.exe	31
PID 1732 wrote to memory of 2708	1732	1b1a115d197506fe367806281b279dc6.exe	30
PID 1732 wrote to memory of 2708	1732	1b1a115d197506fe367806281b279dc6.exe	30
PID 1732 wrote to memory of 2708	1732	1b1a115d197506fe367806281b279dc6.exe	30

C:\Users\Admin\AppData\Local\Temp\1b1a115d197506fe367806281b279dc6.exe
"C:\Users\Admin\AppData\Local\Temp\1b1a115d197506fe367806281b279dc6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Postman\svchost.exe
  "C:\Users\Admin\AppData\Local\Postman\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2708
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Delegation-Visit.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Postman\svchost.exe

Filesize
184KB

MD5
c578ee4f05158761b90a020b7dc3a4fd

SHA1
8167bd66d6b413ca08e04dcc6d2072d8ab11fa55

SHA256
7902501e4e1e651774cd5e9e443e1f778214b412ed9b7d0db8df700fd4eb9d4f

SHA512
d2f23036ccc8a03770da765c1acdc3b9bfaf8cec16bb06bd61b78be5084830c76824fe0501d7008db43d560355c0ee34158dc8ae318e579932e5bf00ce5ebd68

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e64a38648e94e2049c166a64c9c27d3a

SHA1
e4cfcabf320b958b40c4762464e965c5bdd3f30d

SHA256
4e0b425fa7d03824386275439fcbba78786ba5bb3e60d9a8aa17d497a542d2af

SHA512
ed2cd75142a362dad037badbb1ba6dc11f84a9c4cdd0dedef87cce4c66090c763941802c1212513b6e5df4c09d6dce48d611bb253e963923f9671a40c8a30a8e

Download Submit
memory/1732-1-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/1732-0-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-10-0x0000000000BD0000-0x0000000000C50000-memory.dmp

Filesize
512KB

Download
memory/2708-31-0x0000000000BD0000-0x0000000000C50000-memory.dmp

Filesize
512KB

Download
memory/2708-30-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads