b810ddd556c188e97451158e41f65e4d0229d9af51bc440a3f97c1944b5d4258

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f207133352e2612ca164c0738d68b12.exe
Size

39KB
MD5

0f207133352e2612ca164c0738d68b12
SHA1

559972351f09895414c43d79b8eedee2363165d7
SHA256

b810ddd556c188e97451158e41f65e4d0229d9af51bc440a3f97c1944b5d4258
SHA512

51f9d516c7a4857057eb01bdee70d71c03aada735cc9900ba72958bcb56a1dbfa1ffb6309173fe5c7ede02b87fb93ba73a967783a140f3a58abd0ab1381be272
SSDEEP

768:gSyMYPHgpv0X0Oyrt9LYXcs7fQ/lZtsF6ThpoaH+NjhEo:g7N/gpS2R9L5s7YtZtjoaWio

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	update252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	update252.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2920	0f207133352e2612ca164c0738d68b12.exe
2672	update252.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2672	2920	0f207133352e2612ca164c0738d68b12.exe	28
PID 2920 wrote to memory of 2672	2920	0f207133352e2612ca164c0738d68b12.exe	28
PID 2920 wrote to memory of 2672	2920	0f207133352e2612ca164c0738d68b12.exe	28

C:\Users\Admin\AppData\Local\Temp\0f207133352e2612ca164c0738d68b12.exe
"C:\Users\Admin\AppData\Local\Temp\0f207133352e2612ca164c0738d68b12.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\update252.exe
  "C:\Users\Admin\AppData\Local\Temp\update252.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\update252.exe

Filesize
39KB

MD5
0f207133352e2612ca164c0738d68b12

SHA1
559972351f09895414c43d79b8eedee2363165d7

SHA256
b810ddd556c188e97451158e41f65e4d0229d9af51bc440a3f97c1944b5d4258

SHA512
51f9d516c7a4857057eb01bdee70d71c03aada735cc9900ba72958bcb56a1dbfa1ffb6309173fe5c7ede02b87fb93ba73a967783a140f3a58abd0ab1381be272

Download Submit
memory/2672-15-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2672-16-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2672-14-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2672-17-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2672-18-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2920-1-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/2920-0-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2920-2-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2920-3-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/2920-11-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download