5f9ae9be564f5375edd037c7a8b3e5f8eaf77e0bfc317671d7c8e23d98751752

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69852803398ab7bbf2c427f9465aecc3.exe
Size

223KB
MD5

69852803398ab7bbf2c427f9465aecc3
SHA1

1457434e5a9a5e289e05ed63b8c6462cf7745ec3
SHA256

5f9ae9be564f5375edd037c7a8b3e5f8eaf77e0bfc317671d7c8e23d98751752
SHA512

4cfa83e6e11cfbe2216f250103b06665a38bf6305184cd0a9c66f369d142c213d66f24dbe56f61fb681c251c108540788500a733a9485881f7daca2d20719ca3
SSDEEP

6144:j+D+fiUq6hcMEx3yzqqDLuvqqDLuiqqDLulqqDLuXqqDLuEYOJZQ1iyxJu:j+D+fjh/MyuqnuyqnuXqnuIqnu6qnu2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2748	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2608	1984	69852803398ab7bbf2c427f9465aecc3.exe	29
PID 1984 wrote to memory of 2608	1984	69852803398ab7bbf2c427f9465aecc3.exe	29
PID 1984 wrote to memory of 2608	1984	69852803398ab7bbf2c427f9465aecc3.exe	29
PID 1984 wrote to memory of 2608	1984	69852803398ab7bbf2c427f9465aecc3.exe	29
PID 2608 wrote to memory of 2748	2608	cmd.exe	31
PID 2608 wrote to memory of 2748	2608	cmd.exe	31
PID 2608 wrote to memory of 2748	2608	cmd.exe	31
PID 2608 wrote to memory of 2748	2608	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\69852803398ab7bbf2c427f9465aecc3.exe
"C:\Users\Admin\AppData\Local\Temp\69852803398ab7bbf2c427f9465aecc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\LocalLow\ntr\temp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 localhost
    3⤵
    - Runs ping.exe
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\ntr\exe.log

Filesize
12KB

MD5
8d2791d1487a78ed2cce0c0122d31587

SHA1
cba58842bb711bc0b0052055ee17761de8dea155

SHA256
9e07b4acdb6789ba723f398a1d98b689db498bb9902ca8c8cee86b537636809e

SHA512
0579160e998fec3e72f920e9bdc1ec72476b08d772987e58e1036c77ce4685003b279463aba9419b3382d14e385ef0cef0fcb17bc6cb653ca932e9163d926799

Download Submit
C:\Users\Admin\AppData\LocalLow\ntr\temp.bat

Filesize
276B

MD5
2f40e696bbe94e5f21dc21fecf5e8de6

SHA1
1854de261167bbdad59ab2f504ccc5d308cc1660

SHA256
a204932ba96237bb94508713d407be6ae7af97fdd5ee0cc799edf8cf1110ff9a

SHA512
8f6ebaa9bed043e76ff69dd28fcdad2c99cead4565b1fb54e2d1577feac7fe9c4bf8f9b7eb629f90cd8ec79fa1f5f604b8ad0e993860f11ad9f25c1a88a44890

Download Submit