9a158e093959105e381fe82ace28d4b85a67334395aabb85ad1bf3cd3b2dcf26

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05d27d3b8ef3f0e6b720b48a4ac95197.exe
Size

60KB
MD5

05d27d3b8ef3f0e6b720b48a4ac95197
SHA1

1cd1bf3183db924a4199329411009ce7d008a4b8
SHA256

9a158e093959105e381fe82ace28d4b85a67334395aabb85ad1bf3cd3b2dcf26
SHA512

a3d23dc1835cb46cb84cf7b6541da919a1a70b93fb2395404a34a8ee90302c27728ef3bbcd749a879f484e302ecedd350a9afe006ac74212766db94376be4d77
SSDEEP

768:dMVOQl0KWwJ917vmdox7CflsQSsgUV9d+6DAOESj6Zz6ZjkfZa8g0FO:iqK9JWdox7C9sQ59d1EOERO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	agetlkeyls.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe
2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\psapi.lib	05d27d3b8ef3f0e6b720b48a4ac95197.exe
File created	C:\Windows\SysWOW64\agetlkeyls.exe	05d27d3b8ef3f0e6b720b48a4ac95197.exe
File opened for modification	C:\Windows\SysWOW64\agetlkeyls.exe	05d27d3b8ef3f0e6b720b48a4ac95197.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	agetlkeyls.exe
File created	C:\Windows\SysWOW64\psapi.lib	agetlkeyls.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	05d27d3b8ef3f0e6b720b48a4ac95197.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe
2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe
2756	agetlkeyls.exe
2756	agetlkeyls.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2756	2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe	28
PID 2276 wrote to memory of 2756	2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe	28
PID 2276 wrote to memory of 2756	2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe	28
PID 2276 wrote to memory of 2756	2276	05d27d3b8ef3f0e6b720b48a4ac95197.exe	28

C:\Users\Admin\AppData\Local\Temp\05d27d3b8ef3f0e6b720b48a4ac95197.exe
"C:\Users\Admin\AppData\Local\Temp\05d27d3b8ef3f0e6b720b48a4ac95197.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\agetlkeyls.exe
  "C:\Windows\system32\agetlkeyls.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\psapi.lib

Filesize
19KB

MD5
a5b1b1f7c2c51ff400d93ae63f484d96

SHA1
5f038003bf8851254ba577db5d8dfd69c1085c33

SHA256
35b1d2d2bc5c531d49aa3550de5c19bd5f4ebe79c594c6f5000d6de28b2621bf

SHA512
90c2145b39611bd1406c513dff16366a51e86e8831c34ab15f650e6620a75533e800db056dda2e7e176fac8b20cd0be76bc1725b45930b31595d4aac00da4eec

Download Submit
\Windows\SysWOW64\agetlkeyls.exe

Filesize
60KB

MD5
05d27d3b8ef3f0e6b720b48a4ac95197

SHA1
1cd1bf3183db924a4199329411009ce7d008a4b8

SHA256
9a158e093959105e381fe82ace28d4b85a67334395aabb85ad1bf3cd3b2dcf26

SHA512
a3d23dc1835cb46cb84cf7b6541da919a1a70b93fb2395404a34a8ee90302c27728ef3bbcd749a879f484e302ecedd350a9afe006ac74212766db94376be4d77

Download Submit