Analysis

  • max time kernel
    0s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 12:34

General

  • Target

    6eeb43d7e008c44d2f6d31be275896aa.exe

  • Size

    899KB

  • MD5

    6eeb43d7e008c44d2f6d31be275896aa

  • SHA1

    483f200a03bc617a7ea61fde0b27c68c42fcd7f1

  • SHA256

    ac3c074be273e24c60ea9764fe6caaff39ed830addcc82005876bca7cd26112d

  • SHA512

    d8d344eb34b6ab9808bf7a0447f5822ded9c2b977b2aa713e2aaef1691f93a282e176c00bc104e0fd14db30f96c30dbfa3b3c59cfa507ef8f6977d27c4ea7292

  • SSDEEP

    12288:7aWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8JUJL4KVNa9aGjo5k9ul:OaHMv6CorjqnyC8JUJLdIaGjou9ul

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eeb43d7e008c44d2f6d31be275896aa.exe
    "C:\Users\Admin\AppData\Local\Temp\6eeb43d7e008c44d2f6d31be275896aa.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2252
    • C:\Windows\SysWOW64\csrcs.exe
      "C:\Windows\SysWOW64\csrcs.exe"
      2⤵
        PID:2160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\csrcs.exe

      Filesize

      382KB

      MD5

      fc9978b74bbf1355f78fd1d346f649fe

      SHA1

      8da27a9817b665000b11db2be80a79d7bf452e69

      SHA256

      45b4001c4a7ab261d2eba6ecfea32069b64c7b1ef0092c2463d2c6f04390a661

      SHA512

      69e862c82448799184a2e928cede61ddce2e9379ab065e31aa9cc003c7a5a45047f9f0fe65a90c3e443947e0b990c6faefbac4e43379ff218875e530ab6f03e6

    • \Windows\SysWOW64\csrcs.exe

      Filesize

      386KB

      MD5

      63d7deaa53e0fa3dfd66408d6db11d15

      SHA1

      338de3e6c81b48c2c2e56491d91c6b017fa88e4f

      SHA256

      2158c18d4645dde49663cd54b42a080e633accc58fc2e08770f1235bf375299a

      SHA512

      1b67aae9bfb7b94a48fe3b5051d537a95283d19cf78d8e9c7114b7634a5f692804a3bf187142620f010e13d4f75c2fa96609d909ce361cc86d9f7cb766b35910

    • \Windows\SysWOW64\csrcs.exe

      Filesize

      94KB

      MD5

      ffd4b7886dc873c30c8df9d5defeed93

      SHA1

      6184b89ea24259cb3758d2c3515e31db8a5ec98d

      SHA256

      c2bd0fa70dc583e140b50eca33953b49d4345e9d51098148e85edf14ccc947c2

      SHA512

      94a528d18f87736498c45bb5fcff3cf14b84bdcdae366115ca84d7c3ea217c0159afcc9de15b82d736a51caef1548d7d27a40120529f6c712e91076faf8700d5

    • \Windows\SysWOW64\csrcs.exe

      Filesize

      92KB

      MD5

      4ae02a963d53aa75d911c5d09f60b2ab

      SHA1

      a6148128b967c3cbfdbe0afd654568a2912241db

      SHA256

      f3fb0e53a42cd08b2a8e05370cb67bd586c098059378eccd8b208f50f17a5e13

      SHA512

      b35f3bb2215002ce90f2ea81771a206343cceb7c4d9b3c62617d3bd6fd02903a4abf13d66e7cd4d9ba8f4cad6813d572b62244c7b419075778dc245dcdda83ec

    • memory/2252-0-0x0000000000400000-0x00000000004C8000-memory.dmp

      Filesize

      800KB