284d06ae68b44c8f45034ae29146a1601452849f2a261baf353a1dbca2854b80

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:28

Target

22e06bb7de97421ef4b74b8cb77bd086.exe
Size

44KB
MD5

22e06bb7de97421ef4b74b8cb77bd086
SHA1

a762e270c61e3443de5a00bb71c3c888a947fdbb
SHA256

284d06ae68b44c8f45034ae29146a1601452849f2a261baf353a1dbca2854b80
SHA512

68ef075da663f2f1f208ebd613278930b198cd76a03de144c267524a173d474894eea98fa3b372ce47d30ee84ac8fc6a98eb09f53e57d1a094ec72af237d719a
SSDEEP

768:YtZeqwRNEDHW0WpByZnyqX6JsFKRjGBe93VMQr2wdwf:YVwRNMKByZhKJsFKRjP7uf

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2400	ctfmon.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	22e06bb7de97421ef4b74b8cb77bd086.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ctfmon.exe	22e06bb7de97421ef4b74b8cb77bd086.exe
File opened for modification	C:\Windows\ctfmon.exe	22e06bb7de97421ef4b74b8cb77bd086.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	22e06bb7de97421ef4b74b8cb77bd086.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2400	2164	22e06bb7de97421ef4b74b8cb77bd086.exe	29
PID 2164 wrote to memory of 2400	2164	22e06bb7de97421ef4b74b8cb77bd086.exe	29
PID 2164 wrote to memory of 2400	2164	22e06bb7de97421ef4b74b8cb77bd086.exe	29
PID 2164 wrote to memory of 2400	2164	22e06bb7de97421ef4b74b8cb77bd086.exe	29

C:\Users\Admin\AppData\Local\Temp\22e06bb7de97421ef4b74b8cb77bd086.exe
"C:\Users\Admin\AppData\Local\Temp\22e06bb7de97421ef4b74b8cb77bd086.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\ctfmon.exe
  "C:\Windows\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  PID:2400

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\ctfmon.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\Temp\259399991j10.dll

Filesize
25KB

MD5
7a276bfaa30fbe737cbf389cddd1fc23

SHA1
a0d3a73ff5f90e025ec137484159e46fa6c700f7

SHA256
ba144db46b42526cb8643fd89ef570bdcbbff4b31950d3d2c33ebf6554a32f00

SHA512
d9c5d642308ab15460e8235a94ef4f05f79ecdc9cde1a2be0ce868e79455def677a3b423969a3141513a405fceee959714701fb9f8e1422ae20e872be757e556

Download Submit