dc1892a25986f487d241f6334319606bd0d3c8fc0ea42a296b968438f43b211a

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76fc61e82ae294cf2641dd0f7c11e5fd.exe
Size

136KB
MD5

76fc61e82ae294cf2641dd0f7c11e5fd
SHA1

ec36b298896db3b288deeb08927b65981f1ead22
SHA256

dc1892a25986f487d241f6334319606bd0d3c8fc0ea42a296b968438f43b211a
SHA512

fb98c7abab3890ec30dc22afb48be9977b694d79248d804d359f680caa543c0e9e1f4eb4cf9c4dec17cec32fce12fbc57611d6929569abffbe20e0b3e4d83037
SSDEEP

3072:5gJ7HQ8C3md93BUVWECe30jXluFJ9xmdZTN/II8:iVHIAkVw6JzmPNE

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wuauclt32.dll	76fc61e82ae294cf2641dd0f7c11e5fd.exe
File created	C:\Windows\SysWOW64\script.txt	76fc61e82ae294cf2641dd0f7c11e5fd.exe
File created	C:\Windows\SysWOW64\windlogon.exe	76fc61e82ae294cf2641dd0f7c11e5fd.exe
File created	C:\Windows\SysWOW64\installer.exe	76fc61e82ae294cf2641dd0f7c11e5fd.exe
File created	C:\Windows\SysWOW64\wmob.exe	76fc61e82ae294cf2641dd0f7c11e5fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28
PID 2056 wrote to memory of 2264	2056	76fc61e82ae294cf2641dd0f7c11e5fd.exe	28

C:\Users\Admin\AppData\Local\Temp\76fc61e82ae294cf2641dd0f7c11e5fd.exe
"C:\Users\Admin\AppData\Local\Temp\76fc61e82ae294cf2641dd0f7c11e5fd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe wuauclt32.dll, network
  2⤵
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download