e86dfaadbaf261bb891bc5e02fd767cca242f30512e05de6b750aa43729318eb

Analysis

max time kernel
4s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9621de5ce4efafa4ad770fe8b92f31.exe
Size

452KB
MD5

1e9621de5ce4efafa4ad770fe8b92f31
SHA1

e6be8c0a527b416c67e20e3d26f1aafe4640c473
SHA256

e86dfaadbaf261bb891bc5e02fd767cca242f30512e05de6b750aa43729318eb
SHA512

dd5a242815889eb23fe203f44b29ceba411f073df963000e1349a190b5ab88b94375a0fa9110791805a5d836ef0d7d20443595bd86e69321c539908b7f5fa350
SSDEEP

12288:SYU476vtic2xSNc8DtoQRWIvf5qZ4KAlPfEOX:Nutj22c8RVWFZ3ARsOX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3904	jm9su7UE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4812	tasklist.exe
3364	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3904	jm9su7UE.exe
3904	jm9su7UE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3988	1e9621de5ce4efafa4ad770fe8b92f31.exe
3904	jm9su7UE.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 3904	3988	1e9621de5ce4efafa4ad770fe8b92f31.exe	25
PID 3988 wrote to memory of 3904	3988	1e9621de5ce4efafa4ad770fe8b92f31.exe	25
PID 3988 wrote to memory of 3904	3988	1e9621de5ce4efafa4ad770fe8b92f31.exe	25

C:\Users\Admin\AppData\Local\Temp\1e9621de5ce4efafa4ad770fe8b92f31.exe
"C:\Users\Admin\AppData\Local\Temp\1e9621de5ce4efafa4ad770fe8b92f31.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\jm9su7UE.exe
  C:\Users\Admin\jm9su7UE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del jm9su7UE.exe
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4812
- - C:\Users\Admin\caruh.exe
    "C:\Users\Admin\caruh.exe"
    3⤵
    PID:5088
- C:\Users\Admin\bqhost.exe
  C:\Users\Admin\bqhost.exe
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4316
- C:\Users\Admin\auhost.exe
  C:\Users\Admin\auhost.exe
  2⤵
  PID:4732
- C:\Users\Admin\elhost.exe
  C:\Users\Admin\elhost.exe
  2⤵
  PID:688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 1e9621de5ce4efafa4ad770fe8b92f31.exe
  2⤵
  PID:2172

C:\Users\Admin\auhost.exe
"C:\Users\Admin\auhost.exe"
1⤵
PID:3084

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jm9su7UE.exe

Filesize
92KB

MD5
db77eaba5191f1866984bd70c4049fba

SHA1
75653b2f9f8210e59dff513350f0a0d169952b5e

SHA256
4f4781be1f852e3f65062fce5d77d23c5fddb1f8842868825b3af4a77d630519

SHA512
e9a6f1360ef8a24fd9f87937e843c1de151beff94dcc6f6f9f021973ddde072e36cfe97de45c97ddfd2081c4a4d51aeef5603b5bcf0bc7a51a10224d1e90e5ab

Download Submit
memory/3084-53-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-51-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4584-57-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4584-58-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4584-60-0x0000000002840000-0x0000000002887000-memory.dmp

Filesize
284KB

Download
memory/4584-59-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4584-61-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4584-62-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4584-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4584-66-0x0000000002840000-0x0000000002887000-memory.dmp

Filesize
284KB

Download