a1082d01ede1f5fa700be2420ec96047a699d0579c15ddb2f54233a24ac3a7e9

Analysis

max time kernel
131s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe
Size

339KB
MD5

f549cea3f3f2d8304b56997d241690dd
SHA1

b063ea7f64513aa2ddb3b7a7ac51f9d7cba7cf18
SHA256

817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999
SHA512

3beeb0c83a0acfc41f1fb6273a04145783cd69ca126d924638ec2282ff162a39cf7b65b1107311f8be3d94003897e70ed78ecf2be07cda6d63b24ca8f6e512fd
SSDEEP

6144:fc0h522p3l04ZMSmIp3Uy28uhyqe/I3ahlvFJxKvN0Ic22Zh1F:nhxp3lZnT9bDuaI3ahlvFJxK1nMh1F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	wscript.exe

Loads dropped DLL 5 IoCs

pid	Process
2352	WScript.exe
2352	WScript.exe
2352	WScript.exe
2352	WScript.exe
2352	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2352	1848	817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe	28
PID 1848 wrote to memory of 2352	1848	817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe	28
PID 1848 wrote to memory of 2352	1848	817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe	28
PID 1848 wrote to memory of 2352	1848	817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe	28
PID 2352 wrote to memory of 2672	2352	WScript.exe	29
PID 2352 wrote to memory of 2672	2352	WScript.exe	29
PID 2352 wrote to memory of 2672	2352	WScript.exe	29
PID 2352 wrote to memory of 2672	2352	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe
"C:\Users\Admin\AppData\Local\Temp\817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\out.wsf"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\wscript.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\wscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\SysInit.wsf
    3⤵
    - Executes dropped EXE
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\out.wsf

Filesize
64KB

MD5
2aaecb68c760d0fadb9775dc885a68cb

SHA1
a14853d9ab55bd9ea17b7d50c7b16ef7cb1449b4

SHA256
5afcb3fa86eedbb1796bfc0cdfe0b13e3e5842ab4695897db4ff6995fc74df3e

SHA512
130aa45650079a0e1f2f2b387e9c7142d65d0cf8d51450976e0363facf7c259bd8b8775a948e445bd10357046a6f6e18a0c1dfeb2997938044882e21258498ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\wscript.exe

Filesize
92KB

MD5
dd05e29451e38f39902e168277d8e567

SHA1
b81c2d40d25023af6deb365d53a78f9703624856

SHA256
8f7c153e3a9accae13f4c1c00ff5a0c46711ee6a50403d0e925434421d90cc9e

SHA512
07bb1b1df656a35196ee622f04bd80d613b72aa6500e1c154324798fdf2092b02e31bbbe75b300e9fd52e56b1b58770bb7dde91d7d7f11f1103aeca24c7ac244

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\wscript.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit