234b8f628a6f9933b2b9f9153f034417408c085f196685082c822dfcaa8a8428

Analysis

max time kernel
1s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fba4dcf2edc8b52865b6e063bdd87c5.exe
Size

327KB
MD5

1fba4dcf2edc8b52865b6e063bdd87c5
SHA1

107255003cdcca3181cf7b4cc21a822c98641c2d
SHA256

234b8f628a6f9933b2b9f9153f034417408c085f196685082c822dfcaa8a8428
SHA512

51044d64626214a0df758ec9fba66df55cb12c654d281b5848273a7b541748d8bec685be25a12f7cb9c410aa56285640ddf1a8347cc61f437f0f85914463873f
SSDEEP

6144:5r469uEo2S1YnQmCX492DkwNP3qpYFGgjwuBGVdLAt4ZHd2i3gjd+ZD/6F7q:5r4iu6/eIo4Rsw33AtsmQSq

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe
3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe
3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	1fba4dcf2edc8b52865b6e063bdd87c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1fba4dcf2edc8b52865b6e063bdd87c5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe
3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 3456	3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe	44
PID 3520 wrote to memory of 3456	3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe	44
PID 3520 wrote to memory of 3456	3520	1fba4dcf2edc8b52865b6e063bdd87c5.exe	44

C:\Users\Admin\AppData\Local\Temp\1fba4dcf2edc8b52865b6e063bdd87c5.exe
"C:\Users\Admin\AppData\Local\Temp\1fba4dcf2edc8b52865b6e063bdd87c5.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin7053.bat"
  2⤵
  PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads