27c846b06c5ca28e6444773db71196900c79e8150bdffe58e167c4e3b3a157d0

Analysis

max time kernel
2s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

257453b472de36efdb78b1ba5c7aa45e.exe
Size

64KB
MD5

257453b472de36efdb78b1ba5c7aa45e
SHA1

d286492891c0f49903660bf29d2a654b6ade9395
SHA256

27c846b06c5ca28e6444773db71196900c79e8150bdffe58e167c4e3b3a157d0
SHA512

f184e7adbf51558d8648c149fbd5fa51cb4f8d15bf3d55c55d6ccd2dcd662eea41f998d3c2dcbc72bdaf0903669b60f55fc51b44ecd510512cfb4ac24c0a4008
SSDEEP

768:S22x2j1ri+k1nESmhH9qn/ml6/OQyulqasRVAWo:S22x2jA1PmhH9qn/1/lyulqas/o

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2796	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4592	Sumida.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4592	Sumida.exe
4592	Sumida.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1404	257453b472de36efdb78b1ba5c7aa45e.exe
4592	Sumida.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4592	1404	257453b472de36efdb78b1ba5c7aa45e.exe	74
PID 1404 wrote to memory of 4592	1404	257453b472de36efdb78b1ba5c7aa45e.exe	74
PID 1404 wrote to memory of 4592	1404	257453b472de36efdb78b1ba5c7aa45e.exe	74

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\257453b472de36efdb78b1ba5c7aa45e.exe
"C:\Users\Admin\AppData\Local\Temp\257453b472de36efdb78b1ba5c7aa45e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- \??\c:\Sumida.exe
  c:\Sumida.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4592
- - \??\c:\Bubbles.exe
    c:\Bubbles.exe
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Boot.bat
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Fishing /t REG_SZ /d C:\Bubbles.exe /f
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h C:\Bubbles.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2796
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tj.boxcpm.cn/tj.aspx?id=888
  2⤵
  PID:3916
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:17410 /prefetch:2
    3⤵
    PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads