46e327ef571621d208eb6c7e75b9a86a52f9ad1bbeec4def3ac237cea99669fb

Analysis

max time kernel
0s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup/setup.exe
Size

179KB
MD5

6ddded15285511c16509c6e80a484ad7
SHA1

f303fcc8953442a29005a416caabcb3b55702358
SHA256

bbac72ffdc821156d5528a509bb3280927aa569fd96f423ea2c9f74938c65ce4
SHA512

7166140b2f3064738c3141238bd7be344ab64843f6730706ee2f5c3c8d016c94a6741c353a1d5827afa229952640cdb8b70d253f0c769e095507d4a3ef5dec6d
SSDEEP

3072:SBAp5XhKpN4eOyVTGfhEClj8jTk+0hcAmpIw:hbXE9OiTGfhEClq9pAmpp

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\kroka.txt	setup.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat	setup.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs	setup.exe
File opened for modification	C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2820	2288	setup.exe	20
PID 2288 wrote to memory of 2820	2288	setup.exe	20
PID 2288 wrote to memory of 2820	2288	setup.exe	20
PID 2288 wrote to memory of 2820	2288	setup.exe	20

C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup\setup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs"
  2⤵
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat" "
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat

Filesize
2KB

MD5
f83b04f2d66c26e5ce861d1e7cf9a3b5

SHA1
fbcf00829ea06c86bfc890856dac845fe68d9620

SHA256
4e7361346a20b26a34b7378aa421f3769ab791cd2833c89e205889ed28b58cb1

SHA512
f36acd70974fb2a2ce007ab7e392e9a8dc7e2c6e51fe9d7128b11a5d3ceafa46063d62fb933f750d05d9fe05764ef35eb04de858edee2298ca8f3632b1648501

Download Submit
C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs

Filesize
547B

MD5
059397201825d57ffe88e2491afe7f70

SHA1
4354029ba2d0754d3d9814f19b6a068dfdc14517

SHA256
6ba99f4b0352f963b5ba83966008c42dd0c7d68ac7df48da14a44475bd956673

SHA512
908bfed0292d3f730ccdaeecd90818bf10fb106bc6538c859bfd7697da951a52a93e77e8d9619ef2e6a6da4e7263af6e3c15ffde2b66fd8ee3f1da046408096d

Download Submit
C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs

Filesize
383B

MD5
1ba8010b9498eff960097cfad0f56b87

SHA1
3c1bfbcd661fdf6ad43594799861c25ac2933cba

SHA256
1680e664717f8f0e4bd25e52ee2e45518584acddc0f9e9e33fc9e7aa20a93210

SHA512
b87b11a3d8f6f3c0ed039f1b1a992aaa0b69eb11455febad5c2d22b6cb0f86535e50d72b04418e7f0f92e568b0e1996d4b25927f2a20dc437d1c68e67137615a

Download Submit
memory/2288-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download