e57728e7835a8b1dd2ff8e81a1ae70c197e2d8db4c611646a64943f1ea7fb529

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512386dfe5dcc2fc2573ed4ec5c20d03.exe
Size

532KB
MD5

512386dfe5dcc2fc2573ed4ec5c20d03
SHA1

2bf18ab9193d3fe787c09c1c3c8037f50aeff013
SHA256

e57728e7835a8b1dd2ff8e81a1ae70c197e2d8db4c611646a64943f1ea7fb529
SHA512

8b22ee2f9a5bbcd281357072b8b807d753a3b342abcd98c5d1e1569aa8d0fe5665e19727fb90a12353e4e59fd936b1df14faa2064ccf6693e6849e4bab429c24
SSDEEP

12288:B2UB3Id55z53Vo7lElz7PTuz0TF1Wa7BliCMmJY4ua:B2UNId5tjo7lEl/+2/WRCPua

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1096	512386dfe5dcc2fc2573ed4ec5c20d03.tmp

Loads dropped DLL 3 IoCs

pid	Process
3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe
1096	512386dfe5dcc2fc2573ed4ec5c20d03.tmp
1096	512386dfe5dcc2fc2573ed4ec5c20d03.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	512386dfe5dcc2fc2573ed4ec5c20d03.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17
PID 3008 wrote to memory of 1096	3008	512386dfe5dcc2fc2573ed4ec5c20d03.exe	17

C:\Users\Admin\AppData\Local\Temp\512386dfe5dcc2fc2573ed4ec5c20d03.exe
"C:\Users\Admin\AppData\Local\Temp\512386dfe5dcc2fc2573ed4ec5c20d03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\is-DM8O6.tmp\512386dfe5dcc2fc2573ed4ec5c20d03.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DM8O6.tmp\512386dfe5dcc2fc2573ed4ec5c20d03.tmp" /SL5="$50158,163328,163328,C:\Users\Admin\AppData\Local\Temp\512386dfe5dcc2fc2573ed4ec5c20d03.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1096-18-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1096-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download