16d73780d904ed5da5c48c74170b1b7a558a702343cfb3518959cf268bbfbe5e

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

061567ac3b80e791cf8f6b66a4266ce1.exe
Size

1.0MB
MD5

061567ac3b80e791cf8f6b66a4266ce1
SHA1

8bd206ed92ee2594435a7dd030bf185cc7f37ef1
SHA256

16d73780d904ed5da5c48c74170b1b7a558a702343cfb3518959cf268bbfbe5e
SHA512

d223377cb22276e7b9f21749d16dc7f7afd8a0f4ce4b1a5d58997ff4335d34a647a00dbe549969d15a09c4075c64c930fc59d2bd06e42cf944ffa74583fbc753
SSDEEP

24576:uRmJkcoQricOIQxiZY1iaC1o4w0ZDpbWLU8LC:7JZoQrbTFZY1iaC10oDpbr8m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	_work.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000023224-6.dat	autoit_exe
behavioral2/files/0x0006000000023224-8.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe
1324	061567ac3b80e791cf8f6b66a4266ce1.exe
3008	_work.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3008	1324	061567ac3b80e791cf8f6b66a4266ce1.exe	91
PID 1324 wrote to memory of 3008	1324	061567ac3b80e791cf8f6b66a4266ce1.exe	91
PID 1324 wrote to memory of 3008	1324	061567ac3b80e791cf8f6b66a4266ce1.exe	91

C:\Users\Admin\AppData\Local\Temp\061567ac3b80e791cf8f6b66a4266ce1.exe
"C:\Users\Admin\AppData\Local\Temp\061567ac3b80e791cf8f6b66a4266ce1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\_work.exe
  "C:\Users\Admin\AppData\Local\Temp\_work.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_work.exe

Filesize
597KB

MD5
02e5b85cb88364889ac7c788a4e476c5

SHA1
82b9873e5a22d62b200a24a6c4976e0412947640

SHA256
3e2b6fe792ede28e52ef9127958c84d2a772e6f5670e10b701eb770f691526d2

SHA512
28750a148b33f98c2ae29e92152631c2bab03edb5013ccd5a78cc063931717cfdc39df9452a0dc61008161ffb291c1bf54822b9504f2eabbf3112d3d11287c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_work.exe

Filesize
409KB

MD5
bb65ecbb49c117ee8077896c90d13ef4

SHA1
9c08ddc107f6e60c4c21bbacf00e5dd2a8cb2ef5

SHA256
9bc354a27ece7d52045e5d5bf1fb31750501b902c224dc8e47bf329a9e68ffab

SHA512
86959c025e75da7544c4d48a5169a673466b93cb6cc58d0d96eb6744614f5dde5df333644cac0deb6d506b0a7ffdb03887803d2b95ff00a15ffbb66538e0f7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.html

Filesize
636B

MD5
6828d1ba46ee4304d00eda31d818a581

SHA1
f8ffa8f3ea6eccdcdfb27caba8f8a5e59b6c6897

SHA256
579b36ec096a943fa17007a300d36dbf811f24755eff9b12b06a8c67ab906054

SHA512
9a444cd9c57fb2b61ec57abee1c8b8219f622279186b15a52f0cbb0b0fae4954867ac6ab4a59e7d41f04c11ad22232a02d027158a8055c8e424747dfa0b7686f

Download Submit