fe60d9be6a8f49b5c75789d982a09df91e97e0f608e6169f143d1649ef15079f

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0cb43e3a3ceb646bdc766454b6f0cb.exe
Size

4.5MB
MD5

1c0cb43e3a3ceb646bdc766454b6f0cb
SHA1

95ac978dab603e681db1ae3c44037de47450c728
SHA256

fe60d9be6a8f49b5c75789d982a09df91e97e0f608e6169f143d1649ef15079f
SHA512

cdb06365a98c7ed4e476164ffc78ff9c728cf9b83f7263d70b7801282a301bc54fb0cd1ae7c92c622b1d9771f3fabed222972aff4637d6deb584acf2dfe51c0b
SSDEEP

98304:zoDc/LrQTCWCGXlrhi3JElFizF1wDgzP56sDjBh/GOSrGt:c4/LylIJ0FiigzwsJpGOSc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2216	StickyNote 9.0 - install.exe
2552	INS2194.tmp

Loads dropped DLL 7 IoCs

pid	Process
2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe
2216	StickyNote 9.0 - install.exe
2216	StickyNote 9.0 - install.exe
2216	StickyNote 9.0 - install.exe
2216	StickyNote 9.0 - install.exe
2552	INS2194.tmp
2552	INS2194.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	INS2194.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe
Token: SeBackupPrivilege	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2860 wrote to memory of 2216	2860	1c0cb43e3a3ceb646bdc766454b6f0cb.exe	19
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29
PID 2216 wrote to memory of 2552	2216	StickyNote 9.0 - install.exe	29

C:\Users\Admin\AppData\Local\Temp\1c0cb43e3a3ceb646bdc766454b6f0cb.exe
"C:\Users\Admin\AppData\Local\Temp\1c0cb43e3a3ceb646bdc766454b6f0cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe
  "C:\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\INS2194.tmp
    C:\Users\Admin\AppData\Local\Temp\INS2194.tmp /SL3 $A0130 "C:\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe" 4693540 4696900 61440
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe

Filesize
893KB

MD5
f03fa9c6aa17216f67a37beed7ec5b8a

SHA1
3ed3512c52a77dda1444e08ffafab8443e7b6386

SHA256
126cf3ad06f939ff3bda630aa48399ba5fb56e2ae462e0e0a5944f3c313fea81

SHA512
83c844537b92464f0a928d85fec9e6fde338f86fce02e817364fca3e46cb14d1bb2a89a53d87ceb4f01660253e955dd7b788aef9a2a9ea5ab61b8ae76bc46016

Download Submit
C:\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe

Filesize
382KB

MD5
929ebcfee72b26e0c56157d3918f1b24

SHA1
773c1219190b8f67a3e5e5903de26379912817c9

SHA256
4c2386759fbe00c55b43e43b7f008d3c8de9d65c19333ff4808a060f25184cef

SHA512
68f697b7187e5df92eaf9dfcc1aae0b348295fa31a4806c8a0b4305afbcd2112059a5e06662cfdab9e92518c5deda28ceabb6ee0e1475cfbfc1b85483ae6c8a5

Download Submit
\Users\Admin\AppData\Local\Temp\INS2194.tmp

Filesize
92KB

MD5
952fdf33a1f65e011c85287d0512a28e

SHA1
f2f3daaf86bbed56f25aa0870089f52117d28ee8

SHA256
ecd1b5abca36e64888144a1e605ff81e2748815cd632776e1c2357888a3b1675

SHA512
04a8d17ed30f345f723556b7213e38e10a0001c6045ec2502eafec46c3dbf84e082c6a34d295056dcffbf19ed191fc6dce8266b232c95eb096aa1af950e4c063

Download Submit
\Users\Admin\AppData\Local\Temp\StickyNote 9.0 - install.exe

Filesize
1.1MB

MD5
795fd3c96ba59cf9ac4bb962a6d666da

SHA1
7b41e18c5c2ad32604b13e369e8adcb65c64642a

SHA256
4fd1331dd551d5c97018666f96949dfceb459337ad761f8f3ad70c16ccbf95ab

SHA512
70cb0b67f3fba068d27690f8eba11b64fb9c5b3d7f7e2809fc25f15278c18d8589d57489e4f94357315d8e99b93aed0a0743fec0dcc02da884033a4db0309b02

Download Submit
memory/2216-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2552-22-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download