2ebba430cd86123803c6db3873139bac62616a6b2e5e6492c758966c3bb5e671

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3906e293b9e61f325c7f30ed3f0c17d6.exe
Size

113KB
MD5

3906e293b9e61f325c7f30ed3f0c17d6
SHA1

346456dfbc68d762089ea8edcb897c501b2f3707
SHA256

2ebba430cd86123803c6db3873139bac62616a6b2e5e6492c758966c3bb5e671
SHA512

a0f9569aff1e9399851d25873d713065aaaeb041aba0c510e04891e428ae5f611643dabd12056443dbd3a8a06e3d6a02575ecc2a621a31e827e95bdd044b2105
SSDEEP

3072:RhTDRkQ6E50IsXz0b+45p3fwoYGX2Jt1b3Mk5LL604FIb:RhTDRkQ6E50fD0b+4vvyGX2JHb8k5LLD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	3906e293b9e61f325c7f30ed3f0c17d6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2252	2180	3906e293b9e61f325c7f30ed3f0c17d6.exe	28
PID 2180 wrote to memory of 2252	2180	3906e293b9e61f325c7f30ed3f0c17d6.exe	28
PID 2180 wrote to memory of 2252	2180	3906e293b9e61f325c7f30ed3f0c17d6.exe	28
PID 2180 wrote to memory of 2252	2180	3906e293b9e61f325c7f30ed3f0c17d6.exe	28

C:\Users\Admin\AppData\Local\Temp\3906e293b9e61f325c7f30ed3f0c17d6.exe
"C:\Users\Admin\AppData\Local\Temp\3906e293b9e61f325c7f30ed3f0c17d6.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Nqp..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nqp..bat

Filesize
210B

MD5
eb34f150079bd10443e718346781b848

SHA1
cae72a7344434945134c71fb0db754e8684528b0

SHA256
acefa33d694e360e0f3e9c26db60fd8403a7f69f249032b9aee8726fec54817a

SHA512
630acdaec0969648e0f350c4318bb9a010af7e68d1aa8577a08c46f118e18e54700aea3c7bb37b323d1da8b03c570814133d261fd90bf2777828f2bbcb70d9bc

Download Submit
memory/2180-2-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2180-0-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2180-4-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-6-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-7-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2180-10-0x0000000000400000-0x0000000000420A00-memory.dmp

Filesize
130KB

Download
memory/2180-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download