f01c57910b3f196a6fa66a3948e850eaedf666033bbd39e2066bbf85b58cb208

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57a846d470e9e81a7dbbe2645d42bd95.exe
Size

63KB
MD5

57a846d470e9e81a7dbbe2645d42bd95
SHA1

55a0a021ef871357ce89d84df2ecf2e7f88ca4dc
SHA256

f01c57910b3f196a6fa66a3948e850eaedf666033bbd39e2066bbf85b58cb208
SHA512

154926c85a778b7cbe586614ea7e5c9b9ad544428c393f72be33b996bf19c6ada3ccbf1df18d2ac78500a2d0b4d4d154e819cb6afc7ea39c192719f8941ebf7a
SSDEEP

1536:tJuYKwU/vWsEXE0I/ipOpVQXilhf9rqdee:2YxUGffI/cFQt9ece

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	57a846d470e9e81a7dbbe2645d42bd95.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3056	1812	57a846d470e9e81a7dbbe2645d42bd95.exe	28
PID 1812 wrote to memory of 3056	1812	57a846d470e9e81a7dbbe2645d42bd95.exe	28
PID 1812 wrote to memory of 3056	1812	57a846d470e9e81a7dbbe2645d42bd95.exe	28
PID 1812 wrote to memory of 3056	1812	57a846d470e9e81a7dbbe2645d42bd95.exe	28

C:\Users\Admin\AppData\Local\Temp\57a846d470e9e81a7dbbe2645d42bd95.exe
"C:\Users\Admin\AppData\Local\Temp\57a846d470e9e81a7dbbe2645d42bd95.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xtj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xtj..bat

Filesize
210B

MD5
13dc013c0305db9494c7f3694559852d

SHA1
7a3d45e83cbe3e3339f97a9ccf1856d365edd8b4

SHA256
4c3d82a49f93dff012b8c6e619e169581b2cefe8ce9fd34cbf6ba7e46407e7e8

SHA512
6d77ea5783c188f2e6edd4006120e6e42d08a9fcd6e0d7a8724d34460da74be529b72317a86d680b8d09643d34ab893eca39b4dfb707b5e8f2add6bdb6f3ab6c

Download Submit
memory/1812-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1812-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1812-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download