e16ce6507b662a8ac4b9713aa133012082521732f9ec00e371c115093e19879c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3271f09d4f0bf9b222274a5c8dab1ba4.exe
Size

8KB
MD5

3271f09d4f0bf9b222274a5c8dab1ba4
SHA1

309e85966ad9d59633a72d96447688d42fb6c385
SHA256

e16ce6507b662a8ac4b9713aa133012082521732f9ec00e371c115093e19879c
SHA512

841c96641dafb62eff0b70a45a5ca0270dee02b92e8c1be8c8f682f5e3ba873367661a8e7269b6c3a6976c4360cfbcfa64ef5a89efee1c3f20b1f1f4143a81ae
SSDEEP

96:3jrxEyFlnpkGd3aabLXKWxM/paKEiYzusDuAkPLiUmeFKOeO9XWLOb2D0gcK:3R5Fhp8cdwpHR3AkPLiM79mLU2PcK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2992	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	17
PID 2752 wrote to memory of 2992	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	17
PID 2752 wrote to memory of 2992	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	17
PID 2752 wrote to memory of 2992	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	17
PID 2752 wrote to memory of 2264	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	16
PID 2752 wrote to memory of 2264	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	16
PID 2752 wrote to memory of 2264	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	16
PID 2752 wrote to memory of 2264	2752	3271f09d4f0bf9b222274a5c8dab1ba4.exe	16

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
1⤵
- Deletes itself
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\82B.tmp\batfile.bat" "
1⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\3271f09d4f0bf9b222274a5c8dab1ba4.exe
"C:\Users\Admin\AppData\Local\Temp\3271f09d4f0bf9b222274a5c8dab1ba4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82B.tmp\batfile.bat

Filesize
25B

MD5
569d2ee50bd6d34f5b67ab34bb9c4f56

SHA1
cbc525667c35a0ed2a844fc224515257ff3c9248

SHA256
233fb4d6f1903aaea7b04c0593d89e765532e7ea0d20adb897082f8c7fdd5fd9

SHA512
3dfae3c4bfa40f394d406207825962ca159e7a11cd245c6b70b485512e748846437045d6e0ffe7af91ff8cc27459707bd830ee680603257ab19d60093823ba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
169B

MD5
28271b2570b8f11d4bc4ac2ea97d647f

SHA1
32e9aee633f2212c27aca9acc41da05a13e962ef

SHA256
9836f0464be4f3147cb6010ecc71eaa592a4c1dd39f55c7481d9296bf6105fc9

SHA512
26405fac38636745cfa0b11e090b97986879cb6fec0ab5cfbb69a557ab36b341c786aca7cc5720d5931999d6adaa93f86a53287bc80d3d7c4e038657e7390c00

Download Submit
memory/2752-1-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2752-24-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download