d6d97a4a19015d55a94ba6921b03b610ea6a9977f4eb2cd1604bb9a932493070

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34e090d2f45d5d5350ad2a3d4510f2cf.exe
Size

2.6MB
MD5

34e090d2f45d5d5350ad2a3d4510f2cf
SHA1

084aee2cc38b933a990d357c61a9a36115ce2523
SHA256

d6d97a4a19015d55a94ba6921b03b610ea6a9977f4eb2cd1604bb9a932493070
SHA512

8a2b738348e59298e69e44c4e416449808552b2a8629f75343c66b6ee88db86ee47f8137f7b8338b4c3e9389e690d5d844c676899843cfa32871e9b919a8f4a8
SSDEEP

49152:jbA3tJUHXHix9VYcwzNVjc0QJvalZwQyIXM/SWn/a+vYBerxNVDEh0DjG7zC6Fp:jbFHXCxTqNVjc0kSlGKcq4BvTxYiD6nr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	Tarea.exe

Loads dropped DLL 1 IoCs

pid	Process
1424	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2404	Tarea.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1424	2156	34e090d2f45d5d5350ad2a3d4510f2cf.exe	26
PID 2156 wrote to memory of 1424	2156	34e090d2f45d5d5350ad2a3d4510f2cf.exe	26
PID 2156 wrote to memory of 1424	2156	34e090d2f45d5d5350ad2a3d4510f2cf.exe	26
PID 2156 wrote to memory of 1424	2156	34e090d2f45d5d5350ad2a3d4510f2cf.exe	26
PID 1424 wrote to memory of 2404	1424	cmd.exe	24
PID 1424 wrote to memory of 2404	1424	cmd.exe	24
PID 1424 wrote to memory of 2404	1424	cmd.exe	24
PID 1424 wrote to memory of 2404	1424	cmd.exe	24

C:\Users\Admin\AppData\Local\Temp\34e090d2f45d5d5350ad2a3d4510f2cf.exe
"C:\Users\Admin\AppData\Local\Temp\34e090d2f45d5d5350ad2a3d4510f2cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\batch.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1424

C:\Users\Admin\AppData\Local\Temp\Tarea.exe
Tarea.exe -p3bfpqJX7$Pg -dC:\Users\Admin\AppData\Local\Temp
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tarea.exe

Filesize
93KB

MD5
1b36dcb5edbeb67939f8da1416847ad4

SHA1
cdd9cfec3f816ac04170e75caf11be1af359dd8e

SHA256
ba8907a33e7311b0d617c26346bb0724f55025c49d5cb6fc229f493defeaff27

SHA512
6ec188c8df07a71c1943e25e59864a6102041cb5942e7625890a3df535d92c31ea27f455dde82533ab2bf76d9e7f9273f95774f14f7a1c08d37104ad6ae369c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tarea.exe

Filesize
381KB

MD5
0795137eba6f7329398b8f5cc6ceb769

SHA1
1a34a5e156c1d0457338a80a558e53f3beae217b

SHA256
a25d249fe60276b49a3b60c88d624f816492d32b39a2f300250b038027d0794b

SHA512
8d07e788c4c0453b8ab3313101cd1de5907e14ff73a8edfbb141450ce9a1187d6fc5a363b2c48ca97dcdf95e5ffbe21430b0cbed05789b997671fe92c4820da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
33B

MD5
d64463a8b1af003015ab95013f3332b5

SHA1
d5b796424826ef662c9f28c3ac066033d9f8f2b9

SHA256
a826e1dd89e8d9e2ef342e117ee3c59a78f762f60c675946cfb8cf3b45939dd9

SHA512
d33959a6b062ee53e8228e7f16a01410b8df0218be05ea669f9c15b7e7ef732aaaafb351d779ba8e4072903b2143cbc2393ed6755e83581eeef148fee8876cbb

Download Submit