c1a02b20ca174ac4fd90164adb8abf5770f66e2c278c02c161ecd3dc9ef968d7

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

285e4d422534b954d4307ac54283d3ef.exe
Size

583KB
MD5

285e4d422534b954d4307ac54283d3ef
SHA1

d82cc2c9606b1693572aa451c9dbc8a44cbf126d
SHA256

c1a02b20ca174ac4fd90164adb8abf5770f66e2c278c02c161ecd3dc9ef968d7
SHA512

69efae686e04611e121a7182269d73595487c99d4b35ac0337ab6143efdafc9a738e07de256d279aae1e5e5b472767cd844f941ff310be0b85b10be18880039d
SSDEEP

12288:A67TS8P7q8lJ45iMMa80Yv9NBe7Io3Gmvk26c9dCa:f7T3TRJ4s1aY9UIoG6dCa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2936	C02.exe
3032	C41.exe
1728	System

Loads dropped DLL 4 IoCs

pid	Process
3020	285e4d422534b954d4307ac54283d3ef.exe
3020	285e4d422534b954d4307ac54283d3ef.exe
3020	285e4d422534b954d4307ac54283d3ef.exe
3020	285e4d422534b954d4307ac54283d3ef.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System	C02.exe
File opened for modification	C:\Windows\SysWOW64\System	C02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	C41.exe
3032	C41.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2936	3020	285e4d422534b954d4307ac54283d3ef.exe	18
PID 3020 wrote to memory of 2936	3020	285e4d422534b954d4307ac54283d3ef.exe	18
PID 3020 wrote to memory of 2936	3020	285e4d422534b954d4307ac54283d3ef.exe	18
PID 3020 wrote to memory of 2936	3020	285e4d422534b954d4307ac54283d3ef.exe	18
PID 3020 wrote to memory of 3032	3020	285e4d422534b954d4307ac54283d3ef.exe	17
PID 3020 wrote to memory of 3032	3020	285e4d422534b954d4307ac54283d3ef.exe	17
PID 3020 wrote to memory of 3032	3020	285e4d422534b954d4307ac54283d3ef.exe	17
PID 3020 wrote to memory of 3032	3020	285e4d422534b954d4307ac54283d3ef.exe	17

C:\Users\Admin\AppData\Local\Temp\285e4d422534b954d4307ac54283d3ef.exe
"C:\Users\Admin\AppData\Local\Temp\285e4d422534b954d4307ac54283d3ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\C41.exe
  "C:\Users\Admin\AppData\Local\Temp\C41.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\C02.exe
  "C:\Users\Admin\AppData\Local\Temp\C02.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2936

C:\Windows\SysWOW64\System
C:\Windows\SysWOW64\System
1⤵
- Executes dropped EXE
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\C02.exe

Filesize
33KB

MD5
ef9a227724c086590ee45b0c402ca5cb

SHA1
8e6b52899e77bdc87c5c6957f47dc40af0f99114

SHA256
ef8c2742f0ddf3ce2fde7520e881e319f568cea58c7905f81a8c338202a4f901

SHA512
be6b2b7bdff3c85f733d4454148e1169f0d45615d929e3d130021bfed56468ec02c14347e70fedf75c9e4b98544762ed119a742720dded1655735dc86251ae1a

Download Submit
memory/1728-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-18-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download