eb3111b0616b770973eda200024d6d39cb0af5dabdeb5e66418255c82a4b0f8f

Analysis

max time kernel
129s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:28

Target

20016ea3f6711360474a8ec66b99eacd.exe
Size

34KB
MD5

20016ea3f6711360474a8ec66b99eacd
SHA1

d099b4dd892b0431d448470c9b4810d7c090a1c4
SHA256

eb3111b0616b770973eda200024d6d39cb0af5dabdeb5e66418255c82a4b0f8f
SHA512

46bb780f3d881af3c1eb77414e8228140a85a5c146e6945eeb31cc57c43bc7c02b9e766880bf282f9d25e1e2fa62d2fb9e38cb48e94338fc6aa6fc1bace4c5ca
SSDEEP

768:7k9RtUhtSRhEWvXkuHelXlscgHi0waGUKHWr7cteXqS02VCtnY:7kztUhAbXkuHe9lscmBwaGUK+7Wea12J

Score

7^/10

Deletes itself 1 IoCs

pid	Process
484	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID	20016ea3f6711360474a8ec66b99eacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl	20016ea3f6711360474a8ec66b99eacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID\ = "{F00E59F9-65EA-4BAC-AD14-FAFEE832151B}"	20016ea3f6711360474a8ec66b99eacd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	20016ea3f6711360474a8ec66b99eacd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2992	1680	20016ea3f6711360474a8ec66b99eacd.exe	28
PID 1680 wrote to memory of 2992	1680	20016ea3f6711360474a8ec66b99eacd.exe	28
PID 1680 wrote to memory of 2992	1680	20016ea3f6711360474a8ec66b99eacd.exe	28
PID 1680 wrote to memory of 2992	1680	20016ea3f6711360474a8ec66b99eacd.exe	28
PID 1680 wrote to memory of 484	1680	20016ea3f6711360474a8ec66b99eacd.exe	33
PID 1680 wrote to memory of 484	1680	20016ea3f6711360474a8ec66b99eacd.exe	33
PID 1680 wrote to memory of 484	1680	20016ea3f6711360474a8ec66b99eacd.exe	33
PID 1680 wrote to memory of 484	1680	20016ea3f6711360474a8ec66b99eacd.exe	33

C:\Users\Admin\AppData\Local\Temp\20016ea3f6711360474a8ec66b99eacd.exe
"C:\Users\Admin\AppData\Local\Temp\20016ea3f6711360474a8ec66b99eacd.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wewt0.bat" "
  2⤵
  - Deletes itself
  PID:484

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\wewt0.bat

Filesize
274B

MD5
9397f278da782594297b4554dad2a994

SHA1
ce6d532d040f0818a3916789f3186bba7c41289e

SHA256
cf06d0053fadd28d1d509579b83cf1bb2dfc0baec36045e6d306b7e2a7c13556

SHA512
ae3ad1dd116f6a7d965ff0b05dedeb4fa21dbb312650ca7f320cea69b585d82c54935c8210317a883779eca2b7d24e668c32d1d98138e25d65dac4a2d36d60a3

Download Submit
memory/1680-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download