90cdffe99f37f8ba34e8cc9c9dce7d3a084eb5df0d435a2d0e6029b0a65eac92

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ba45a730e714534e3d1987b5f5ead4.exe
Size

398KB
MD5

24ba45a730e714534e3d1987b5f5ead4
SHA1

a4215a39441e39f5afcd823b6909328bc203d248
SHA256

90cdffe99f37f8ba34e8cc9c9dce7d3a084eb5df0d435a2d0e6029b0a65eac92
SHA512

031889fd2145b771e12b6209fda9f43da2dc1fb94471de4c4471f7e74a93210755312688ef4b780b187f91a6b8d5bdb75ecf8a5ad28956dbaad9bb0ce3ea7876
SSDEEP

6144:DtrRxIjnCrWb1GTBivuYQ5SC7mJYHUTKIebEV357qe0nZqsm2E4B:DFRCjCrlTUvuN/qegV35D0Zqsm2VB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	1.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	24ba45a730e714534e3d1987b5f5ead4.exe
2252	24ba45a730e714534e3d1987b5f5ead4.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1.exe	24ba45a730e714534e3d1987b5f5ead4.exe
File created	C:\Windows\SysWOW64\tmp.bat	24ba45a730e714534e3d1987b5f5ead4.exe
File created	C:\Windows\SysWOW64\1.exe	24ba45a730e714534e3d1987b5f5ead4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	24ba45a730e714534e3d1987b5f5ead4.exe
2252	24ba45a730e714534e3d1987b5f5ead4.exe
1608	1.exe
1608	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1608	2252	24ba45a730e714534e3d1987b5f5ead4.exe	29
PID 2252 wrote to memory of 1608	2252	24ba45a730e714534e3d1987b5f5ead4.exe	29
PID 2252 wrote to memory of 1608	2252	24ba45a730e714534e3d1987b5f5ead4.exe	29
PID 2252 wrote to memory of 1608	2252	24ba45a730e714534e3d1987b5f5ead4.exe	29
PID 2252 wrote to memory of 2704	2252	24ba45a730e714534e3d1987b5f5ead4.exe	30
PID 2252 wrote to memory of 2704	2252	24ba45a730e714534e3d1987b5f5ead4.exe	30
PID 2252 wrote to memory of 2704	2252	24ba45a730e714534e3d1987b5f5ead4.exe	30
PID 2252 wrote to memory of 2704	2252	24ba45a730e714534e3d1987b5f5ead4.exe	30

C:\Users\Admin\AppData\Local\Temp\24ba45a730e714534e3d1987b5f5ead4.exe
"C:\Users\Admin\AppData\Local\Temp\24ba45a730e714534e3d1987b5f5ead4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\1.exe
  C:\Windows\System32\1.exe 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\tmp.bat
  2⤵
  - Deletes itself
  PID:2704

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tmp.bat

Filesize
239B

MD5
b1334e22cfb750f1015417c954cf6455

SHA1
3e976bb2ba639279f2cee95daa152281e236dbc5

SHA256
33754372e6e0e6d694df0c15640951342652719e5e63339aa6201526639ac220

SHA512
815f256639816e7d6039993a5c93a67cf988437ba8b3ba6965966a20eba9db2f0b1f9bbaa5c284633d1c5ffba03fc2e63f8cf7086bbf1405a24cc65a154b5de7

Download Submit
C:\Windows\Temp\122.jpg

Filesize
15KB

MD5
33ec1400b14df699e3a3b59669f01cb0

SHA1
fe741671544af003d5c9bff0e4e7bdcdf18c688c

SHA256
504c90465d1415d04efaf4feb5f56b749edeb5568b7080daca650c19b732f716

SHA512
1180c755ceb4fd70961fa9ac3f5f862ae8f85c665e406598278293bfa27bfbb5cca4198c8b3f40dee9331a0dc55410484d39a1c3d3d1ec83c3fd980ee94f8146

Download Submit
\Windows\SysWOW64\1.exe

Filesize
398KB

MD5
24ba45a730e714534e3d1987b5f5ead4

SHA1
a4215a39441e39f5afcd823b6909328bc203d248

SHA256
90cdffe99f37f8ba34e8cc9c9dce7d3a084eb5df0d435a2d0e6029b0a65eac92

SHA512
031889fd2145b771e12b6209fda9f43da2dc1fb94471de4c4471f7e74a93210755312688ef4b780b187f91a6b8d5bdb75ecf8a5ad28956dbaad9bb0ce3ea7876

Download Submit
memory/2220-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2220-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2220-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download