16d73780d904ed5da5c48c74170b1b7a558a702343cfb3518959cf268bbfbe5e

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

061567ac3b80e791cf8f6b66a4266ce1.exe
Size

1.0MB
MD5

061567ac3b80e791cf8f6b66a4266ce1
SHA1

8bd206ed92ee2594435a7dd030bf185cc7f37ef1
SHA256

16d73780d904ed5da5c48c74170b1b7a558a702343cfb3518959cf268bbfbe5e
SHA512

d223377cb22276e7b9f21749d16dc7f7afd8a0f4ce4b1a5d58997ff4335d34a647a00dbe549969d15a09c4075c64c930fc59d2bd06e42cf944ffa74583fbc753
SSDEEP

24576:uRmJkcoQricOIQxiZY1iaC1o4w0ZDpbWLU8LC:7JZoQrbTFZY1iaC10oDpbr8m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	_work.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	061567ac3b80e791cf8f6b66a4266ce1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe
1732	061567ac3b80e791cf8f6b66a4266ce1.exe
1088	_work.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1088	1732	061567ac3b80e791cf8f6b66a4266ce1.exe	22
PID 1732 wrote to memory of 1088	1732	061567ac3b80e791cf8f6b66a4266ce1.exe	22
PID 1732 wrote to memory of 1088	1732	061567ac3b80e791cf8f6b66a4266ce1.exe	22
PID 1732 wrote to memory of 1088	1732	061567ac3b80e791cf8f6b66a4266ce1.exe	22

C:\Users\Admin\AppData\Local\Temp\061567ac3b80e791cf8f6b66a4266ce1.exe
"C:\Users\Admin\AppData\Local\Temp\061567ac3b80e791cf8f6b66a4266ce1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\_work.exe
  "C:\Users\Admin\AppData\Local\Temp\_work.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...