044a7ab33d02daa94d52789de3c10195f619c4f63df289e0301033c3847ba10c

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 13:10

Target

7124a58af5e94cb441bbd28cc798477a.exe
Size

44KB
MD5

7124a58af5e94cb441bbd28cc798477a
SHA1

10d2b874e556d12af77cdf89280da431161add66
SHA256

044a7ab33d02daa94d52789de3c10195f619c4f63df289e0301033c3847ba10c
SHA512

ad354c48642f21a04189d6431da1e7e8c9a9056b7de73ec3d8df49814ed9e031fa8c8bcf2c61d3139625dd9a865d381ef691f6583093f78251882f835d44480f
SSDEEP

384:yntoj50nHvklnCahaMaFUX6/IAh///18JfTuDGvq8JU3uohFhOYza4ICA4yfLPfE:ueimnCaTgSUTyJfpyj+EzBzR9A4yfUB

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2404	ctfmon.exe

Loads dropped DLL 1 IoCs

pid	Process
1648	7124a58af5e94cb441bbd28cc798477a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ctfmon.exe	7124a58af5e94cb441bbd28cc798477a.exe
File opened for modification	C:\Windows\ctfmon.exe	7124a58af5e94cb441bbd28cc798477a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	7124a58af5e94cb441bbd28cc798477a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2404	1648	7124a58af5e94cb441bbd28cc798477a.exe	28
PID 1648 wrote to memory of 2404	1648	7124a58af5e94cb441bbd28cc798477a.exe	28
PID 1648 wrote to memory of 2404	1648	7124a58af5e94cb441bbd28cc798477a.exe	28
PID 1648 wrote to memory of 2404	1648	7124a58af5e94cb441bbd28cc798477a.exe	28

C:\Users\Admin\AppData\Local\Temp\7124a58af5e94cb441bbd28cc798477a.exe
"C:\Users\Admin\AppData\Local\Temp\7124a58af5e94cb441bbd28cc798477a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\ctfmon.exe
  "C:\Windows\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  PID:2404

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\ctfmon.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\Temp\359411176.dll

Filesize
23KB

MD5
ad7396d7c2eb340d189ce0bcfe689837

SHA1
1ae6fd993ee582baed8a219b2ff606f5c1d055cd

SHA256
691fd566ab054a217ad43b3f66f2de6e6aed4af688d1f75d0c14f63e2381c07c

SHA512
e74f52f6bfee91f65c012dba79f70b91a4e3aefa76eb3b8708c2e4eca3e72422cef736c1af26e3c3861a6e235eabfce5c0c4900e0cd1cb164947de4e9e7ce93e

Download Submit