Analysis

  • max time kernel
    1s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 10:16

General

  • Target

    325bbbe1ee2f09f72e1084acae849bf8.exe

  • Size

    18.6MB

  • MD5

    325bbbe1ee2f09f72e1084acae849bf8

  • SHA1

    f75c355e3277410919f5c7b7436fbcaa8b86fce1

  • SHA256

    c605e919a0b6a36830a388be8e43a29a81139d095cea8f04269a349872afdebe

  • SHA512

    506685f3a72c3f489aaf239d7190893aa4ec89eceab12cf858bdfa237ee2883f1397432aa5fb9b8951bb6097ae0970685d44227fbca0f08e8f5371f5200bc79c

  • SSDEEP

    393216:mAP1dyZTDeIRs4dpRhuGCTxhAQZTAkWNGgp:T1qDeIRLutt/TAt5

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
    "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
      "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe"
      2⤵
      • Loads dropped DLL
      PID:2728
  • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
    "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
    1⤵
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe
        "C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe" C:\Users\Admin\AppData\Local\Temp\325bbbe1ee2f09f72e1084acae849bf8.exe asadmin
        2⤵
          PID:4408
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
        1⤵
          PID:944
          • C:\Users\Admin\AppData\Local\Temp\Defender.exe
            "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
            2⤵
              PID:4912

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/944-144-0x00000000738D0000-0x0000000074080000-memory.dmp

                  Filesize

                  7.7MB

                • memory/944-143-0x0000000000E70000-0x0000000000F12000-memory.dmp

                  Filesize

                  648KB

                • memory/944-146-0x00000000032D0000-0x00000000032D1000-memory.dmp

                  Filesize

                  4KB

                • memory/944-145-0x0000000005A80000-0x0000000005A90000-memory.dmp

                  Filesize

                  64KB

                • memory/944-147-0x00000000058F0000-0x00000000059C0000-memory.dmp

                  Filesize

                  832KB

                • memory/944-160-0x00000000738D0000-0x0000000074080000-memory.dmp

                  Filesize

                  7.7MB