d181e321002c41c49078523013678e7d0095908b1f1cddb83a1ba4036ae59dc1

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3f8c38945355042d33a2e9499cfe15.exe
Size

32KB
MD5

2b3f8c38945355042d33a2e9499cfe15
SHA1

4edf07f114a015ab0b58196477e8dc5afdf2087e
SHA256

d181e321002c41c49078523013678e7d0095908b1f1cddb83a1ba4036ae59dc1
SHA512

867839c351011b6a8536e59bf29de37afd888c509adb688f0892309a6e3708c584cf99ebabc4be6744b48406b374e0f48bb897733aca3bf0a347c9819df6a42d
SSDEEP

768:uV3AEzmD3vdbxSben0uChXSEdYRFKXr8vyVh83dy:u3zmBbxgxme

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	2b3f8c38945355042d33a2e9499cfe15.exe
2848	2b3f8c38945355042d33a2e9499cfe15.exe
1908	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	2b3f8c38945355042d33a2e9499cfe15.exe
1908	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1908	2848	2b3f8c38945355042d33a2e9499cfe15.exe	28
PID 2848 wrote to memory of 1908	2848	2b3f8c38945355042d33a2e9499cfe15.exe	28
PID 2848 wrote to memory of 1908	2848	2b3f8c38945355042d33a2e9499cfe15.exe	28
PID 2848 wrote to memory of 1908	2848	2b3f8c38945355042d33a2e9499cfe15.exe	28
PID 2848 wrote to memory of 2596	2848	2b3f8c38945355042d33a2e9499cfe15.exe	30
PID 2848 wrote to memory of 2596	2848	2b3f8c38945355042d33a2e9499cfe15.exe	30
PID 2848 wrote to memory of 2596	2848	2b3f8c38945355042d33a2e9499cfe15.exe	30
PID 2848 wrote to memory of 2596	2848	2b3f8c38945355042d33a2e9499cfe15.exe	30
PID 1908 wrote to memory of 2724	1908	svchost.exe	35
PID 1908 wrote to memory of 2724	1908	svchost.exe	35
PID 1908 wrote to memory of 2724	1908	svchost.exe	35
PID 1908 wrote to memory of 2724	1908	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\2b3f8c38945355042d33a2e9499cfe15.exe
"C:\Users\Admin\AppData\Local\Temp\2b3f8c38945355042d33a2e9499cfe15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\9156.bat" "
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2143.bat" "
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\9156.bat

Filesize
324B

MD5
3b774c555a867a803cff9d6793e30e91

SHA1
d2cbeeb48bc1d75cc9e0d448d224a554284c7d87

SHA256
b82916218462a6d52c7ba2d0839d7ff2e2caaa3a86a2cd00563ad02f63e840ac

SHA512
b17eaac03aa443b3bd402ef42535f821420710000005518528a072fbb11d17c228db6c2c0641b8fc005da5d6dc4acfa997d26b3cd1a785e48b61c5939dab7745

Download Submit
C:\Users\Admin\b.exe

Filesize
128B

MD5
f09f35a5637839458e462e6350ecbce4

SHA1
0ae4f711ef5d6e9d26c611fd2c8c8ac45ecbf9e7

SHA256
38723a2e5e8a17aa7950dc008209944e898f69a7bd10a23c839d341e935fd5ca

SHA512
ab942f526272e456ed68a979f50202905ca903a141ed98443567b11ef0bf25a552d639051a01be58558122c58e3de07d749ee59ded36acf0c55cd91924d6ba11

Download Submit